[vlc-commits] securetransport: Add mode to ignore untrusted certificates

David Fuhrmann git at videolan.org
Tue Feb 6 10:59:01 CET 2018 

vlc/vlc-3.0 | branch: master | David Fuhrmann <dfuhrmann at videolan.org> | Sun Feb  4 16:13:50 2018 +0100| [640a0f99be6b83758fb4dd87ed8734cb6297675d] | committer: Thomas Guillem

securetransport: Add mode to ignore untrusted certificates

This is a workaround only for chromecast and only for the 3.0
branch.

Signed-off-by: Thomas Guillem <thomas at gllm.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=640a0f99be6b83758fb4dd87ed8734cb6297675d
---

 modules/misc/securetransport.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/modules/misc/securetransport.c b/modules/misc/securetransport.c
index 74d4b9cdc7..3a6acba65f 100644
--- a/modules/misc/securetransport.c
+++ b/modules/misc/securetransport.c
@@ -221,7 +221,7 @@ static OSStatus st_SocketWriteFunc (SSLConnectionRef connection,
     return retValue;
 }
 
-static int st_validateServerCertificate (vlc_tls_t *session, const char *hostname) {
+static int st_validateServerCertificate (vlc_tls_t *session, vlc_tls_creds_t *cred, const char *hostname) {
 
     vlc_tls_st_t *sys = (vlc_tls_st_t *)session;
     int result = -1;
@@ -269,6 +269,12 @@ static int st_validateServerCertificate (vlc_tls_t *session, const char *hostnam
             msg_Warn(sys->obj, "cerfificate verification failed, result is %d", trust_eval_result);
     }
 
+    if (cred->obj.flags & OBJECT_FLAGS_INSECURE) {
+        msg_Warn(sys->obj, "Accepting untrusted certificate, this is very insecure!");
+        result = 0;
+        goto out;
+    }
+
     /* get leaf certificate */
     /* SSLCopyPeerCertificates is only available on OSX 10.5 or later */
 #if !TARGET_OS_IPHONE
@@ -402,7 +408,7 @@ static int st_Handshake (vlc_tls_creds_t *crd, vlc_tls_t *session,
 
     switch (retValue) {
         case noErr:
-            if (sys->b_server_mode == false && st_validateServerCertificate(session, host) != 0) {
+            if (sys->b_server_mode == false && st_validateServerCertificate(session, crd, host) != 0) {
                 return -1;
             }
             msg_Dbg(crd, "handshake completed successfully");

More information about the vlc-commits mailing list