Re: [PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default
On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote:
-Set TLS1.1/1.2 disabled by Default that is same as Windows 7 default.
See registry entry for schannel and control enable/disable tls versions.
It also see grbitEnabledProtocols defined in credentials that take precedence over registry.
I think the regression issue with TLS 1.1/1.2 is the "empty fragments" sending, right? Perhaps we can just disable that and not all of TLS 1.1/1.2? Ciao, Marcus
On 20120910 18:14, Marcus Meissner wrote:
On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote:
-Set TLS1.1/1.2 disabled by Default that is same as Windows 7 default.
See registry entry for schannel and control enable/disable tls versions.
It also see grbitEnabledProtocols defined in credentials that take precedence over registry. I think the regression issue with TLS 1.1/1.2 is the "empty fragments" sending, right?
Perhaps we can just disable that and not all of TLS 1.1/1.2?
This patch is delivered from wininet problem. That is a problem when client try TLS1.1/1.2 to TLS1.0 only server and fails with SSL version alert. (incompatibility between evernote server/wine-client) A patch for wininet disables problematic TLS1.1/1.2 by default and add interface to enable it. I understand from my short research that 1) Windows see Schannel registry entry to control it. 2) wininet is hoped to re-implement using schannel That's a reason, I propose a patch for schannel for consistency. If you think a behavior is ok, that only wininet is affected from Schannel registry and schannel/winhttp is not configurable, it is easy to reject schennel patch. for "empty fragments", it is workaround for BEAST vulnerbility. It is not straight relation with above. Hiroshi
participants (2)
-
Hiroshi Miura -
Marcus Meissner