On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote:
-Set TLS1.1/1.2 disabled by Default that is same as Windows 7 default.
See registry entry for schannel and control enable/disable tls versions. It also see grbitEnabledProtocols defined in credentials that take precedence over registry.
I think the regression issue with TLS 1.1/1.2 is the "empty fragments" sending, right?
Perhaps we can just disable that and not all of TLS 1.1/1.2?
Ciao, Marcus
On 20120910 18:14, Marcus Meissner wrote:
On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote:
-Set TLS1.1/1.2 disabled by Default that is same as Windows 7 default.
See registry entry for schannel and control enable/disable tls versions. It also see grbitEnabledProtocols defined in credentials that take precedence over registry.I think the regression issue with TLS 1.1/1.2 is the "empty fragments" sending, right?
Perhaps we can just disable that and not all of TLS 1.1/1.2?
This patch is delivered from wininet problem. That is a problem when client try TLS1.1/1.2 to TLS1.0 only server and fails with SSL version alert. (incompatibility between evernote server/wine-client)
A patch for wininet disables problematic TLS1.1/1.2 by default and add interface to enable it. I understand from my short research that 1) Windows see Schannel registry entry to control it. 2) wininet is hoped to re-implement using schannel
That's a reason, I propose a patch for schannel for consistency.
If you think a behavior is ok, that only wininet is affected from Schannel registry and schannel/winhttp is not configurable, it is easy to reject schennel patch.
for "empty fragments", it is workaround for BEAST vulnerbility. It is not straight relation with above.
Hiroshi
-
Hiroshi Miura -
Marcus Meissner