Comment 1 Sam James 2023-11-26 00:44:35 UTC

Could you give some example URL to test with?

This also sounds familiar but I can't think of what the other bug is right now (leio?)

(In reply to Sam James from comment #1)
> Could you give some example URL to test with?
> 
> This also sounds familiar but I can't think of what the other bug is right
> now (leio?)

Any https url with tls_verify 1 will suffice, I abstained from providing a URL because my account is too new to post links, but I can work around that filter.

URL="$(echo 'media tenor com/_LrkimwtigUAAAAC/oh-yeah-oh-yeah-gif gif' | tr ' ' '.' | cat <(echo -n 'https://') -)"
ffmpeg -tls_verify 1 -i "${URL}" output.mp4

I discovered this bug because it breaks playback on media-video/jellyfin-media-player.  Accessing the server is fine, but playback fails, I traced it back to ffmpeg.  I am able to get around this issue in media-video/jellyfin-media-player by enabling the autodetectCertBundle option which invokes the code at:
URL="$(echo 'github com/jellyfin/jellyfin-media-player/blob/master/src/player/PlayerComponent cpp#L138' | tr ' ' '.')"
This leads me to believe that certificate bundles are not being loaded correctly.  Whether or not this is the responsibility of ffmpeg or openssl/gnutls I don't know, but this bug doesn't happen on the version of Linux Mint or Arch Linux that I've tried.

I ended up enabling a many of the ffmpeg USE flags hoping it would resolve the issue, but to no avail.  Here is what I have for that:
+X -abi_x86_32 +alsa -amf -amr -amrenc -bluray -bs2b +bzip2 -cdio -chromaprint +chromium -codec2 -cpu_flags_x86_3dnow -cpu_flags_x86_3dnowext +cpu_flags_x86_aes +cpu_flags_x86_avx +cpu_flags_x86_avx2 +cpu_flags_x86_fma3 -cpu_flags_x86_fma4 +cpu_flags_x86_mmx +cpu_flags_x86_mmxext +cpu_flags_x86_sse +cpu_flags_x86_sse2 +cpu_flags_x86_sse3 +cpu_flags_x86_sse4_1 +cpu_flags_x86_sse4_2 +cpu_flags_x86_ssse3 -cpu_flags_x86_xop -cpudetection -cuda +dav1d -debug -doc +encode -fdk +fftools_aviocat +fftools_cws2fws +fftools_ffescape +fftools_ffeval +fftools_ffhash +fftools_fourcc2pixfmt +fftools_graph2dot +fftools_ismindex +fftools_pktdumper +fftools_qt-faststart +fftools_sidxindex +fftools_trasher -flite +fontconfig -frei0r -fribidi -gcrypt -gme -gmp +gnutls +gpl -gsm -hardcoded-tables +iconv -iec61883 -ieee1394 -jack -jpeg2k +jpegxl -kvazaar -ladspa -lcms +libaom +libaribb24 +libass +libcaca +libdrm -libilbc -libplacebo -librtmp +libsoxr +libtesseract +libv4l +libxml2 +lv2 +lzma -modplug +mp3 +network -nvenc +openal +opencl +opengl +openh264 +openssl +opus +oss -pic +postproc +pulseaudio -qsv -rav1e -rubberband -samba +sdl -snappy -sndio -speex -srt -ssh -static-libs +svg -svt-av1 -test +theora +threads +truetype -twolame +v4l +vaapi -vdpau -verify-sig +vidstab +vmaf +vorbis +vpx -vulkan +webp +x264 +x265 +xvid -zeromq +zimg +zlib +zvbi

Use flags for openssl:
-abi_x86_32 +asm -fips -ktls -rfc3779 -sctp -static-libs -test +tls-compression -vanilla -verify-sig -weak-ssl-ciphers

Use flags for gnutls:
-abi_x86_32 -brotli +cxx -dane -doc -examples +idn +nls +openssl +pkcs11 +seccomp -static-libs -test -test-full +tls-heartbeat +tools -verify-sig +zlib +zstd

Comment 3 Ionen Wolkens 2025-03-11 04:03:19 UTC

Still seems to be happening when using openssl (fine with gnutls), not sure what it's about.

The reason it doesn't happen with other distros is pretty simple though, about all of them default to gnutls because linking to openssl (formerly) required --enable-nonfree (that's no longer required with openssl-3), while Gentoo allows you to pick.

So if you want the same behaviour, you just need USE="-openssl gnutls"

Comment 4 Ionen Wolkens 2025-03-11 04:14:46 UTC

And note gnutls is *also* our default for ffmpeg (assuming do not go out of your way to enable USE=openssl) and given issues like this and others I'm not too inclined to change that at the moment (did consider it given no longer needing --enable-nonfree).

Think I'll close this, should probably be taken upstream if want this to be improved for openssl.