Open Skybound1 opened 3 months ago
Hi @Skybound1 - The failure to parse any other certs once one cert fails sounds like an implementation detail outside of our library I am afraid, there is nothing we do that would affect that, so it may be worth also reporting this upstream to ffmpeg.
I will raise this issue again with the team, but again, its not something we are likely to have time to implement in the immediate future.
Ah fair enough, sorry about that. Will also raise with ffmpeg.
Reading through the code, am I correct in understanding that mbedtls_x509_crt_parse_file
returns < 0 for error, 0 for no errors, and > 0 if there is a count of specific certificates that failed to load, but otherwise not an overall error?
And to re-iterate, we would welcome any patch that implemented this.
Reading through the code, am I correct in understanding that
mbedtls_x509_crt_parse_file
returns < 0 for error, 0 for no errors, and > 0 if there is a count of specific certificates that failed to load, but otherwise not an overall error?
When a critical extension fails parsing we return MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
. If the extension is not marked as critical we continue parsing and ignore the failure.
The correct workaround for extensions not supported by Mbed TLS is for the calling code to supply an extension-parsing callback function that parses the extension.
Summary
Arch Linux has switched to using mbed for ffmpeg. This caused a few breakages which have been fixed by including system CAs (as described in https://gitlab.archlinux.org/archlinux/packaging/packages/ffmpeg/-/issues/10).
I have a few custom root CAs loaded into my systems trust store. One of which is a CA with a name constraint as a critical extension, which I understand is not currently supported by mbed (https://github.com/Mbed-TLS/mbedtls/issues/8759).
This leads to the error
mbedtls_x509_crt_parse_file for CA cert returned 1
when loading the systems CA file.System information
Mbed TLS version (number or commit id): Operating system and version: Arch Linux Configuration (if not default, please attach
mbedtls_config.h
): Compiler and options (if you used a pre-built binary, please indicate how you obtained it): Compiled into ffmpeg as part of Arch Linux distribution from package manager Additional environment information:Expected behavior
A CA that cannot be parsed should not stop the parsing and loading of other root certificates from a CA file. The problematic CA should be ignored, and the remainder of the CAs should still be parsed and loaded if valid.
Actual behavior
A CA that cannot be parsed stops the parsing of other CAs in the same CA file, regardless of whether the rest are valid or not.
Steps to reproduce
ffplay -i URL -tls_verify 1 -cafile /tmp/ca-bundle.crt
Additional information