Re: [PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default
On 20120910 18:14, Marcus Meissner wrote: > On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote: >>-Set TLS1.1/1.2 disabled by Default that is >> same as Windows 7 default. >> >> See registry entry for schannel and control >> enable/disable tls versions. >> >> It also see grbitEnabledProtocols defined in >> credentials that take precedence over registry. > I think the regression issue with TLS 1.1/1.2 is the "empty fragments" > sending, right? > > Perhaps we can just disable that and not all of TLS 1.1/1.2? This patch is delivered from wininet problem. That is a problem when client try TLS1.1/1.2 to TLS1.0 only server and fails with SSL version alert. (incompatibility between evernote server/wine-client) A patch for wininet disables problematic TLS1.1/1.2 by default and add interface to enable it. I understand from my short research that 1) Windows see Schannel registry entry to control it. 2) wininet is hoped to re-implement using schannel That's a reason, I propose a patch for schannel for consistency. If you think a behavior is ok, that only wininet is affected from Schannel registry and schannel/winhttp is not configurable, it is easy to reject schennel patch. for "empty fragments", it is workaround for BEAST vulnerbility. It is not straight relation with above. Hiroshi
Re: [PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default
On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote: >-Set TLS1.1/1.2 disabled by Default that is > same as Windows 7 default. > > See registry entry for schannel and control > enable/disable tls versions. > > It also see grbitEnabledProtocols defined in > credentials that take precedence over registry. I think the regression issue with TLS 1.1/1.2 is the "empty fragments" sending, right? Perhaps we can just disable that and not all of TLS 1.1/1.2? Ciao, Marcus
Re: [PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default
Hi, On 2012年09月03日 05:21, Henri Verbeet wrote: > On 2 September 2012 10:58, Hiroshi Miura wrote: >> -Set TLS1.1/1.2 disabled by Default that is >> same as Windows 7 default. >> > Aside from whether disabling TLS1.1+ is appropriate or not, or if this > is the right implementation, this patch also add %COMPAT to the > priority string, which wasn't there before. > > Thanks. I'd like to rework it and post again. You may think it need 1)when wininet, winhttp is configured with schannel registry values, schannel also behave with this configuration. 2) or in order to prepare when wininet, winhttp is reimplement with schannel, schannel also behave same. If not, this work is going to pick when it needed. Hiroshi
Re: [PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default
On 2 September 2012 10:58, Hiroshi Miura wrote: > > -Set TLS1.1/1.2 disabled by Default that is > same as Windows 7 default. > Aside from whether disabling TLS1.1+ is appropriate or not, or if this is the right implementation, this patch also add %COMPAT to the priority string, which wasn't there before.