-
Notifications
You must be signed in to change notification settings - Fork 230
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enabling TLSv1.3 breaks mbedtls (manually or by upgrading to 3.6.0) #917
Comments
Some relevant logs:
|
Did you change the mbedtls version to 3.6.0 by chance? |
You are right, i did upgrade to 3.6.0, and reverting to not using tls 1.3 still gives the same error. I also upgraded from ffmpeg 6.1.1 to 7.0, I don't know if that's also related |
and did you test TLSv1.3 with mbedtls 3.5.2? |
I just tested with 3.5.2 and it gives the same error with TLS 1.3 on and works with it off. I tested different ffmpeg versions as well, had no effect. I don't really know how to enable debug logging, just enabling "MBEDTLS_DEBUG_C" definitely didn't give me any logcat output... What do you think about openssl btw? |
I tried compiling ffmpeg with openssl support and tls 1.3 works as expected. |
Compiling it in makes ffmpeg unredistributable (
It needs integration, try this: diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,7 @@
#include <mbedtls/platform.h>
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crt.h>
+#include <mbedtls/debug.h>
#include "avformat.h"
#include "internal.h"
@@ -109,6 +110,12 @@ static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
}
+static void mbedtls_debug(void *ctx, int lvl, const char *file, int line, const char *msg)
+{
+ URLContext *h = (URLContext*) ctx;
+ av_log(h, AV_LOG_ERROR, "%s%d: %s", file, line, msg);
+}
+
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
@@ -185,6 +192,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
+ mbedtls_ssl_conf_dbg(&tls_ctx->ssl_context, mbedtls_debug, shr->tcp);
+ mbedtls_debug_set_threshold(4);
+
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) { |
These are the logs I got, they don't mean much to me though. The diff you sent has a typo btw, ssl_context instead of ssl_config, that gave me some trouble lol diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,7 @@
#include <mbedtls/platform.h>
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crt.h>
+#include <mbedtls/debug.h>
#include "avformat.h"
#include "internal.h"
@@ -109,6 +110,12 @@ static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
}
+static void mbedtls_debug(void *ctx, int lvl, const char *file, int line, const char *msg)
+{
+ URLContext *h = (URLContext*) ctx;
+ av_log(h, AV_LOG_ERROR, "%s%d: %s", file, line, msg);
+}
+
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
@@ -185,6 +192,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
+ mbedtls_ssl_conf_dbg(&tls_ctx->ssl_config, mbedtls_debug, shr->tcp);
+ mbedtls_debug_set_threshold(4);
+
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) { |
For now, I will just update to 3.6.0 in my fork and disable TLSv1.3 by default until we find a fix |
seems to be this Mbed-TLS/mbedtls#8401 |
I added
|
So I debugged this further and it seems mbedtls 3.6 has broken the ability to not verify the server certificate. 🤦 Edit: There's quite much going wrong here. You can try this branch with fixes: https://github.com/sfan5/ffmpeg/tree/mbed13 |
I tried compiling mbedtls with TLS 1.3 support in my fork, but for some reason it resulted in mpv not being able to play neither 1.2 nor 1.3 streams.
What I did was adding
./scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
in mbedtls.sh, I also tried some other options likeMBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
, but no luck.I'm interested in this because I recently updated my jellyfin server's nginx config to only offer tls 1.3 but noticed that mpv-android doesn't support it yet.
The text was updated successfully, but these errors were encountered: