On 27 December 2014 at 12:48, Thiago Macieira <[email protected]> wrote:
> On Saturday 27 December 2014 10:52:41 Richard Moore wrote: > > Hmm, if you set TLS 1.0 you really need to only negotiate TLS 1.0. If not > > then if you're connecting to old servers the TLS extensions will lead the > > connection to hang. Perhaps what we want is a minimum and maximum version > > (though this doesn't map very well to the underlying openssl API). > > Why? Let's assume we're this is 2014 today and that any non-broken server > has > been upgraded to support TLSv1, since SSLv3 is now known to be not as > secure. > Is the connection hanging still a problem? And even if it is, isn't that an > OpenSSL problem, not ours? > > At the moment there are still a lot of SSL accelerators out there with these problems. We can probably stop worrying in around a year once all the browsers have got around to disabling SSL3 and thereby forcing things to be fixed. Currently we will already fail to connect to these servers, but the API we provide allows users to implement workarounds in their own code. If we change the meaning of the TLSv1 constant in this way then it would no longer be possible for them to do this. Cheers Rich.
_______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
