Using SSL_CTX_set_options to disallow specific versions is
discouraged by the documentation, which recommends to use
SSL_CTX_set_min_proto_version instead.
---
libavformat/tls_openssl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 72ee36e7af..e10ccf1cb8 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -901,7 +901,11 @@ static int tls_open(URLContext *h, const char *uri, int
flags, AVDictionary **op
ret = AVERROR(EIO);
goto fail;
}
- SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) {
+ av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to
TLSv1\n");
+ ret = AVERROR_EXTERNAL;
+ goto fail;
+ }
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
// Note, this doesn't check that the peer certificate actually matches
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
