[FFmpeg-devel] [PR] avformat/tls_gnutls: fix DTLS handshake failure when publishing via WebRTC WHIP (PR #22341)

Sun, 01 Mar 2026 10:31:39 -0800 

PR #22341 opened by qwerzoid
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22341
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22341.patch

This update fixes a DTLS handshake failure that occurs when using GnuTLS for
media publishing over WebRTC WHIP. The existing GnuTLS implementation makes
use of secp224r1 EC curve while generating private key which is considered not
strong enough. WebRTC implementations prefer secp256r1 EC curve as a minimum,
and due to this WebRTC DTLS handshake fails. This patch upgrades the elliptic
curve to secp256r1 when generating private key.

Signed-off-by: Aditya Banavi <[email protected]>


>From 95bc01c03b84f41ab6e8d7d4888cf743e02706d9 Mon Sep 17 00:00:00 2001
From: Aditya Banavi <[email protected]>
Date: Sun, 1 Mar 2026 17:25:02 +0000
Subject: [PATCH] avformat/tls_gnutls: fix DTLS handshake failure when
 publishing via WebRTC WHIP

This update fixes a DTLS handshake failure that occurs when using GnuTLS for
media publishing over WebRTC WHIP. The existing GnuTLS implementation makes
use of secp224r1 EC curve while generating private key which is considered not
strong enough. WebRTC implementations prefer secp256r1 EC curve as a minimum,
and due to this WebRTC DTLS handshake fails. This patch upgrades the elliptic
curve to secp256r1 when generating private key.

Signed-off-by: Aditya Banavi <[email protected]>
---
 libavformat/tls_gnutls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c
index 778ca9cf40..e294aef0c0 100644
--- a/libavformat/tls_gnutls.c
+++ b/libavformat/tls_gnutls.c
@@ -197,7 +197,7 @@ static int gnutls_gen_private_key(gnutls_x509_privkey_t 
*key)
     }
 
     ret = gnutls_x509_privkey_generate(*key, GNUTLS_PK_ECDSA,
-                                       
gnutls_sec_param_to_pk_bits(GNUTLS_PK_ECDSA, GNUTLS_SEC_PARAM_MEDIUM), 0);
+                                       
GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), 0);
     if (ret < 0) {
         av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate private key: 
%s\n", gnutls_strerror(ret));
         goto einval_end;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to