openssl built for windows builds but is not enabled

[sslivins]

I was trying to use openssl for a windows build and I see that it's built successfully in the docker containers however this line is preventing openssl from being enabled in the ffmpeg configuration:

https://github.com/BtbN/FFmpeg-Builds/blob/afcd9939cfaa1bec3a64044dc1f9d33481c3da42/scripts.d/25-openssl.sh#L97

I removed it locally and it appears to be working correctly. Is there a reason it's not enabled or was this an oversight?

[BtbN]

Windows uses schannel, not openssl.

[BtbN]

More specifically, openssl is only built at all because other things depend on it. Using an OS provided tls library which gets regular updates is largely preferable over a forever frozen in time version of openssl.

[sslivins]

the schannel implementation is still quite buggy and we ran into some serious issues with it hanging in production. Nevertheless is this was intentional that's fine, I can patch it locally

[BtbN]

Please report such issues upstream, it's not in any way or form an immature backend and supposed to work just fine. I'd also think that only removing the line of code you showed would cause a configure error, since configure will refuse to enable two tls backends simultaneously (schannel and openssl in this case).

Also keep in mind that a statically linked openssl on Windows has no means to access any certificate store or anything, so I think will just blindly accept anything unless pointed at a cert store manually, which ffmpeg does not do. (That's also an issue on Linux, but there sadly is no good alternative there)

[sslivins]

will do, thanks

[BtbN]

Please actually report them: https://trac.ffmpeg.org/ You're not the first person mentioning issues with schannel, but nobody ever followed up with any way to reproduce them, let alone get them fixed. And I myself never ran into any issues with it.

[sslivins]

I should clarify it's not schannel proper, rather the ffmpeg schannel shim that's buggy. I will be following up with ffmpeg but for the short term openssl solves the issue.

Btw, this is a fantastic project, thank you for all you do!

[BtbN]

Yeah, that's what I mean as well. The only issues with hangs related to schannel was in the hls code and that got fixed years ago. So even just an issue with "doing XYZ when using the schannel backend causes this and that." would be valuable.

[sslivins]

im familiar with the hls issue, this particular issue is with rtmps

[Andarwinux]

OpenSSL 3.2 has a new winstore certificate store backend that can be used with statically linked, but this is opt-in, so it may require changes on FFmpeg side.