On Fri, Dec 26, 2014 at 2:47 PM, Thiago Macieira <thiago.macie...@intel.com> wrote: > > On Friday 26 December 2014 13:12:47 Mikkel Krautz wrote: > > too!). So, the current QSsl::SecureProtocols in Qt 5.4 is fine for our use. > > But since QSsl::SecureProtocols is a moving target, we're afraid that if we > > commit to using it, a future Qt 5.x version may remove TLS 1.0 support. That > > would break backwards compatibility to older Mumble servers and/or clients, > > so > > that's a no-no for us. > > Suppose a flaw is detected in 1.0 that necessitates everyone to upgrade. Why > would you not want it?
We definitely wouldn't keep supporting TLS 1.0 in that case. But we would like to still be able to accept connections where the handshake ends up using TLS 1.0. Then we can handle the rejection at the application protocol level, and show an appropriate message to the user and potentially disconnect them immediately. This would be handled through an update to the server software. Clients could be updated with a similar mechanism, too. If we do it this way, it allows us to display an appropriate message, via the server, even for clients that are not TLS 1.1 or TLS 1.2-aware. (Which is pretty much the whole user base.) However, if there really is no interest in allowing a finer-grained protocol selection in Qt itself, I suppose we could live with using QSsl::SecureProtocols. That'll at least allow us to add a generic error if a modern client attempts to connect to a server that only allows TLS 1.0. But older clients would, unfortunately, be stuck with a generic handshake error. But in my opinion, that would not be ideal for our users. > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel Open Source Technology Center > > _______________________________________________ > Development mailing list > Development@qt-project.org > http://lists.qt-project.org/mailman/listinfo/development _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development