[Development] QSsl: finer-grained protocol selection

Mikkel Krautz mikkel at krautz.dk
Thu Feb 12 23:08:25 CET 2015


I've opened a code review for adding TlsV1_0OrLater and friends at:

https://codereview.qt-project.org/#/c/106080/

We obviously haven't reached agreement on the actual API for this, but
as I said, we're pretty happy with the 'OrLater' variant, which the
patchset implements.  Hopefully, the patchset gives a better overview
of the changes involved.

Rudimentary (as much as possible) support for WinRT is available in
the patchset.

SecureTransport should be easy to add, since it uses a (min, max)
protocol range...


On Fri, Jan 16, 2015 at 3:16 PM, Mikkel Krautz <mikkel at krautz.dk> wrote:
> On Sun, Dec 28, 2014 at 2:26 PM, Thiago Macieira
> <thiago.macieira at intel.com> wrote:
>> On Sunday 28 December 2014 13:11:13 Richard Moore wrote:
>>> At the moment there are still a lot of SSL accelerators out there with
>>> these problems. We can probably stop worrying in around a year once all the
>>> browsers have got around to disabling SSL3 and thereby forcing things to be
>>> fixed. Currently we will already fail to connect to these servers, but the
>>> API we provide allows users to implement workarounds in their own code. If
>>> we change the meaning of the TLSv1 constant in this way then it would no
>>> longer be possible for them to do this.
>>
>> Ah, I see.
>>
>> Then we just add to the list:
>>
>>         TlsV1_0OrLater,
>>         TlsV1_1OrLater,
>>         TlsV1_2OrLater
>>
>> When TLS 1.3 comes into existence, we add:
>>
>>         TlsV1_3,
>>         TlsV1_3OrLater
>
> We'd be fine with either of these proposals.
>
> However, I think this proposal would be less surprising to existing
> users of QSslSocket, so it's the one I'd prefer personally.
>
>> Alternatively, we can add a
>>
>>         /// if major == 0, sets to "Secure Protocols"
>>         void setMinimumTlsVersion(int major, int minor);
>>         int sessionTlsMajorVersion() const;
>>         int sessionTlsMinorVersion() const;
>>
>> And deprecate setProtocol.
>> --
>> Thiago Macieira - thiago.macieira (AT) intel.com
>>   Software Architect - Intel Open Source Technology Center
>>
>> _______________________________________________
>> Development mailing list
>> Development at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/development



More information about the Development mailing list