On 20120910 18:14, Marcus Meissner wrote: > On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote: >> -Set TLS1.1/1.2 disabled by Default that is >> same as Windows 7 default. >> >> See registry entry for schannel and control >> enable/disable tls versions. >> >> It also see grbitEnabledProtocols defined in >> credentials that take precedence over registry. > I think the regression issue with TLS 1.1/1.2 is the "empty fragments" > sending, right? > > Perhaps we can just disable that and not all of TLS 1.1/1.2?
This patch is delivered from wininet problem. That is a problem when client try TLS1.1/1.2 to TLS1.0 only server and fails with SSL version alert. (incompatibility between evernote server/wine-client) A patch for wininet disables problematic TLS1.1/1.2 by default and add interface to enable it. I understand from my short research that 1) Windows see Schannel registry entry to control it. 2) wininet is hoped to re-implement using schannel That's a reason, I propose a patch for schannel for consistency. If you think a behavior is ok, that only wininet is affected from Schannel registry and schannel/winhttp is not configurable, it is easy to reject schennel patch. for "empty fragments", it is workaround for BEAST vulnerbility. It is not straight relation with above. Hiroshi