From 218ed7250c103a975e874fb16e8e5941f4cbe223 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 30 Oct 2016 14:57:30 +0000 Subject: openssl: Allow newer TLS versions than TLSv1 The use of TLSv1_*_method() disallows newer protocol versions; instead use SSLv23_*_method() and then explicitly disable the deprecated protocol versions which should not be supported. --- libavformat/tls_openssl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'libavformat/tls_openssl.c') diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index aab885c8d3..0abccf00a9 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -221,12 +221,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) goto fail; - p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); + // We want to support all versions of TLS >= 1.0, but not the deprecated + // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method() + // enables support for all versions of SSL and TLS, and we then disable + // support for the old protocols immediately after creating the context. + p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method()); if (!p->ctx) { av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); ret = AVERROR(EIO); goto fail; } + SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if (c->ca_file) SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL); if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) { -- cgit v1.2.3