ossrs · ghost · Jun 28, 2025 · Jun 28, 2025 · Jun 28, 2025 · Jun 18, 2025
diff --git a/libavformat/tls.c b/libavformat/tls.c
@@ -137,7 +137,7 @@ int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AV
                                parent->protocol_whitelist, parent->protocol_blacklist, parent);
     if (c->is_dtls) {
         if (ret < 0) {
-            av_log(c, AV_LOG_ERROR, "WHIP: Failed to connect udp://%s:%d\n", c->underlying_host, port);
+            av_log(c, AV_LOG_ERROR, "Failed to connect udp://%s:%d\n", c->underlying_host, port);
             return ret;
         }
         /* Make the socket non-blocking, set to READ and WRITE mode after connected */

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
@@ -316,7 +316,8 @@ static int openssl_gen_certificate(EVP_PKEY *pkey, X509 **cert, char **fingerpri
         goto enomem_end;
     }
 
-    serial = (int)av_get_random_seed();
+    // According to RFC5280 4.1.2.2, The serial number MUST be a positive integer
+    serial = (int)(av_get_random_seed() & 0x7FFFFFFF);
     if (ASN1_INTEGER_set(X509_get_serialNumber(*cert), serial) != 1) {
         av_log(NULL, AV_LOG_ERROR, "TLS: Failed to set serial, %s\n", ERR_error_string(ERR_get_error(), NULL));
         goto einval_end;