Closed mkrautz closed 9 years ago
This still allows Mumble to connect to servers using TLS 1.0, and Murmur to accept clients that only use TLS 1.0.
Are you sure about that? Last time I looked into it I was pretty sure my finding was that if you tell Qt to use TLSv1.2 for the socket it won't speak anything else on it which would result in backwards compatibility loss.
It is possible.
You have to use OpenSSL options SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 and use q_SSLv23_client_method() or SSLv23_server_method().
Qt provides QSsl::SecureProtols in Qt 5. Since Qt 5.4 (I think?) it means TLS 1.0, TLS 1.1, and TLS 1.2.
For Qt 4, it includes SSLv3 as well, which is bad. (We need SSLv3 to show the backwards incompatibility message ("This server is using an older encryption standard....").
Qt 5 discussion: http://lists.qt-project.org/pipermail/development/2014-December/019550.html
I will probably backport whatever ends up being acceptable to Qt 4 for 1.2.x (if it doesn't take too long for a decision to be made.).
I think QSsl::TlsV1OrGreater would be great for our own Qt 4 code base, though. Thoughts?
New patches:
Qt: https://github.com/mkrautz/mumble-developers-qt/compare/tls_1_2__v4
Mumble: https://github.com/mkrautz/mumble/compare/1.2.x...tls_1_2__v3 (same as before)
Latest patch:
We now only patch Qt, and make the default QSsl::TlsV1 option mean "TLS 1.0 or greater".
https://github.com/mkrautz/mumble-developers-qt/compare/tls_1_2__v6
Merged it into mumble-developers-qt for some snapshot testing....
Fixed in 1.2.9.
I have a patchset that adds TLS 1.2 support to Qt 4, and enables the 1.2.x branch to use it.
It's very unintrusive and I think we should just go ahead.
Comments welcomed.
Mumble 1.2.x patch: https://github.com/mkrautz/mumble/commit/5f62a35792f7c0b4e9f8bc89f9b41ddaf7109e8d
Qt patch: https://github.com/mkrautz/mumble-developers-qt/commit/73e9c4b2fed3c62a522f06fb91b523a3eccb8b58
mumble-releng patch(es): https://github.com/mkrautz/mumble-releng/compare/tls_1_2
For some reason, the above patches will not select any ECDHE-* cipher suites for some reason. (I'll investigate). That works fine in master/qt5.