RFC: TLS 1.2 for Mumble 1.2.x

mumble-voip / mumble

Mumble is an open-source, low-latency, high quality voice chat software.

https://www.mumble.info

Other

6.28k stars 1.11k forks source link

RFC: TLS 1.2 for Mumble 1.2.x #1507

Closed mkrautz closed 9 years ago

mkrautz commented 9 years ago

I have a patchset that adds TLS 1.2 support to Qt 4, and enables the 1.2.x branch to use it.

It's very unintrusive and I think we should just go ahead.

Comments welcomed.

Mumble 1.2.x patch: https://github.com/mkrautz/mumble/commit/5f62a35792f7c0b4e9f8bc89f9b41ddaf7109e8d

Qt patch: https://github.com/mkrautz/mumble-developers-qt/commit/73e9c4b2fed3c62a522f06fb91b523a3eccb8b58

mumble-releng patch(es): https://github.com/mkrautz/mumble-releng/compare/tls_1_2

For some reason, the above patches will not select any ECDHE-* cipher suites for some reason. (I'll investigate). That works fine in master/qt5.

hacst commented 9 years ago

This still allows Mumble to connect to servers using TLS 1.0, and Murmur to accept clients that only use TLS 1.0.

Are you sure about that? Last time I looked into it I was pretty sure my finding was that if you tell Qt to use TLSv1.2 for the socket it won't speak anything else on it which would result in backwards compatibility loss.

mkrautz commented 9 years ago

It is possible.

You have to use OpenSSL options SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 and use q_SSLv23_client_method() or SSLv23_server_method().

Qt provides QSsl::SecureProtols in Qt 5. Since Qt 5.4 (I think?) it means TLS 1.0, TLS 1.1, and TLS 1.2.

For Qt 4, it includes SSLv3 as well, which is bad. (We need SSLv3 to show the backwards incompatibility message ("This server is using an older encryption standard....").

mkrautz commented 9 years ago

Qt 5 discussion: http://lists.qt-project.org/pipermail/development/2014-December/019550.html

I will probably backport whatever ends up being acceptable to Qt 4 for 1.2.x (if it doesn't take too long for a decision to be made.).

I think QSsl::TlsV1OrGreater would be great for our own Qt 4 code base, though. Thoughts?

mkrautz commented 9 years ago

New patches:

Qt: https://github.com/mkrautz/mumble-developers-qt/compare/tls_1_2__v3

Mumble: https://github.com/mkrautz/mumble/compare/1.2.x...tls_1_2__v3

mkrautz commented 9 years ago

New patches:

Qt: https://github.com/mkrautz/mumble-developers-qt/compare/tls_1_2__v4

Mumble: https://github.com/mkrautz/mumble/compare/1.2.x...tls_1_2__v3 (same as before)