-
Notifications
You must be signed in to change notification settings - Fork 5.8k
Update SSL/TLS support #12524
Comments
* --ssl-protocol= option now accepts 'tlsv1.2', 'tlsv1.1', 'tlsv1.0' and 'default' as well as the existing 'tlsv1', 'sslv3', and 'any'. * The default is now none of the above, but rather QSsl::SecureProtocols, which means "whatever subset of ANY is still considered secure and also supported by the OpenSSL library in use". (As of this writing, Qt's idea of "still considered secure" includes everything from SSLv3 on up, which is technically wrong -- SSLv3 has known breaks -- but we can live with. Qt currently doesn't have a way to select "TLSv1.0 and up".)
…riya#12524) New option --ssl-ciphers takes a colon-separated list of OpenSSL cipher names and sets the client cipher list to exactly that list. The default for this option is arranged to match Chromium 35, which has had its cipher selection optimized for the modern Web (see https://briansmith.org/browser-ciphersuites-01.html for rationales). (Newer versions are the same except that they also add ChaCha20-based ciphersuites, which OpenSSL 1.0.1 hasn't yet picked up.)
This is really good, thanks for this update. |
It is unfortunately that |
I seem to have overstated the case a bit. The only concrete flaw in SSLv3 that I can find that isn't also in TLSv1.0 is the assertion at https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_3.0 that "[in 3.0] half of the master key is fully dependent on MD5". TLSv1.0 itself is considered rather creaky nowadays, what with BEAST and its relatives, but it's probably not possible to disable it client-side yet without breaking too many sites. So Qt's default is still reasonable. https://bugreports.qt-project.org/browse/QTBUG-28469 asks for the ability to select more than one specific version of TLS/SSL, which would allow phantomjs to (optionally) offer only TLS 1.1 and 1.2, for instance. |
* --ssl-protocol= option now accepts 'tlsv1.2', 'tlsv1.1', 'tlsv1.0' and 'default' as well as the existing 'tlsv1', 'sslv3', and 'any'. * The default is now none of the above, but rather QSsl::SecureProtocols, which means "whatever subset of ANY is still considered secure and also supported by the OpenSSL library in use". (As of this writing, Qt's idea of "still considered secure" includes everything from SSLv3 on up, which is technically wrong -- SSLv3 has known breaks -- but we can live with. Qt currently doesn't have a way to select "TLSv1.0 and up".) Conflicts: src/networkaccessmanager.cpp
…riya#12524) New option --ssl-ciphers takes a colon-separated list of OpenSSL cipher names and sets the client cipher list to exactly that list. The default for this option is arranged to match Chromium 35, which has had its cipher selection optimized for the modern Web (see https://briansmith.org/browser-ciphersuites-01.html for rationales). (Newer versions are the same except that they also add ChaCha20-based ciphersuites, which OpenSSL 1.0.1 hasn't yet picked up.)
I just stumbled across this. Does that mean that phantomjs (up to 2.0) does not support TLSv1.1 nor TLSv1.2? |
Yes, that is correct, 1.x versions only support SSL 3.0 and TLS 1.0, and by default only SSL 3.0 is offered. Unfortunately, this is a limitation of Qt 4.x, so we can't backport the changes. |
Pardon me for pumping this: Is there any change to the TLS situation with the newly released 2.1.? |
2.1 is better but not perfect. IIRC 2.1 will, by default, offer SSL3 What still isn't possible is to offer both TLS1.1 and 1.2 but nothing |
Qt 5.x allows use of newer SSL protocol versions beyond TLSv1.0. This should be accessible in phantomjs.
The text was updated successfully, but these errors were encountered: