PR #22245 opened by Nariman-Sayed URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22245 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22245.patch
SHA-1 is deprecated and considered cryptographically weak. Replace EVP_sha1() with EVP_sha256() when signing self-generated certificates to comply with modern security standards. >From 301f029e8add7e7ada60fa6d1c586f9afaa5b7db Mon Sep 17 00:00:00 2001 From: Nariman-Sayed <[email protected]> Date: Sat, 21 Feb 2026 23:37:36 +0200 Subject: [PATCH] avformat/tls_openssl: use SHA-256 instead of SHA-1 for self-signed cert SHA-1 is deprecated and considered cryptographically weak. Replace EVP_sha1() with EVP_sha256() when signing self-generated certificates to comply with modern security standards. --- libavformat/tls_openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 0ae0980cc3..db5fdde885 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -312,7 +312,7 @@ static int openssl_gen_certificate(EVP_PKEY *pkey, X509 **cert, char **fingerpri goto einval_end; } - if (!X509_sign(*cert, pkey, EVP_sha1())) { + if (!X509_sign(*cert, pkey, EVP_sha256())) { av_log(NULL, AV_LOG_ERROR, "TLS: Failed to sign certificate, %s\n", ERR_error_string(ERR_get_error(), NULL)); goto einval_end; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
