aacid added a comment.
In D16344#348886 <https://phabricator.kde.org/D16344#348886>, @jtamate wrote: > What protocol does KTcpSocket::SecureProtocols implement (I can't guess it)? If it is the same as QSsl:SecureProtocols <http://doc.qt.io/qt-5/qssl.html> Yes, see ./src/core/ktcpsocket.cpp:89: > it does: > On the client side, this will send a TLS 1.0 Client Hello, enabling TLSv1_0 and SSLv3 connections. On the server side, this will enable both SSLv3 and TLSv1_0 connections. > > Shouldn't it try with TLS 1.3 when available and fall back to TLS 1.2, but not lower (for security reason)? My opinion is that we should not try to be smarter than Qt here, that involves: - Trusting them on what "SecureProtocols" means (according to qsslsocket_openssl.cpp i'd say that SecureProtocols is TlsV1_0OrLater, which makes sense to me) - Don't do fallbacks "client side" and let openssl do the actual protocol negotiation by itself Besides that, AFAICS from my about:config settings in Firefox, the min version it supports is 1 that according to https://support.mozilla.org/en-US/questions/1101896 it's TLS 1.0, so supporting less than that seems to aggressive to me at this point, yes there may be bugs, but we also need to let people use the web. REPOSITORY R241 KIO REVISION DETAIL https://phabricator.kde.org/D16344 To: aacid Cc: jtamate, carewolf, dfaure, stikonas, kde-frameworks-devel, michaelh, ngraham, bruns
