[Development] QSsl: finer-grained protocol selection
Richard Moore
rich at kde.org
Sun Dec 28 14:11:13 CET 2014
On 27 December 2014 at 12:48, Thiago Macieira <thiago.macieira at intel.com>
wrote:
> On Saturday 27 December 2014 10:52:41 Richard Moore wrote:
> > Hmm, if you set TLS 1.0 you really need to only negotiate TLS 1.0. If not
> > then if you're connecting to old servers the TLS extensions will lead the
> > connection to hang. Perhaps what we want is a minimum and maximum version
> > (though this doesn't map very well to the underlying openssl API).
>
> Why? Let's assume we're this is 2014 today and that any non-broken server
> has
> been upgraded to support TLSv1, since SSLv3 is now known to be not as
> secure.
> Is the connection hanging still a problem? And even if it is, isn't that an
> OpenSSL problem, not ours?
>
>
At the moment there are still a lot of SSL accelerators out there with
these problems. We can probably stop worrying in around a year once all the
browsers have got around to disabling SSL3 and thereby forcing things to be
fixed. Currently we will already fail to connect to these servers, but the
API we provide allows users to implement workarounds in their own code. If
we change the meaning of the TLSv1 constant in this way then it would no
longer be possible for them to do this.
Cheers
Rich.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20141228/13a3dc44/attachment.html>
More information about the Development
mailing list