[Development] QSsl: finer-grained protocol selection

[Mikkel Krautz]

On Fri, Dec 26, 2014 at 2:47 PM, Thiago Macieira
<thiago.macieira at intel.com> wrote:
>
> On Friday 26 December 2014 13:12:47 Mikkel Krautz wrote:
> > too!). So, the current QSsl::SecureProtocols in Qt 5.4 is fine for our use.
> > But since QSsl::SecureProtocols is a moving target, we're afraid that if we
> > commit to using it, a future Qt 5.x version may remove TLS 1.0 support. That
> > would break backwards compatibility to older Mumble servers and/or clients,
> > so
> > that's a no-no for us.
>
> Suppose a flaw is detected in 1.0 that necessitates everyone to upgrade. Why
> would you not want it?

We definitely wouldn't keep supporting TLS 1.0 in that case.

But we would like to still be able to accept connections where the
handshake ends up using TLS 1.0. Then we can handle the rejection at
the application protocol level, and show an appropriate message to the
user and potentially disconnect them immediately. This would be
handled through an update to the server software. Clients could be
updated with a similar mechanism, too.

If we do it this way, it allows us to display an appropriate message,
via the server, even for clients that are not TLS 1.1 or TLS
1.2-aware. (Which is pretty much the whole user base.)

However, if there really is no interest in allowing a finer-grained
protocol selection in Qt itself, I suppose we could live with using
QSsl::SecureProtocols. That'll at least allow us to add a generic
error if a modern client attempts to connect to a server that only
allows TLS 1.0. But older clients would, unfortunately, be stuck with
a generic handshake error.

But in my opinion, that would not be ideal for our users.

> --
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel Open Source Technology Center
>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development