winhttp: disable TLSv1.1/1.2 by default

Hiroshi Miura miurahr at linux.com
Sat Sep 1 02:03:00 CDT 2012 

Hi,

 Thanks André to point the discussion

On 2012年08月27日 01:56, André Hentschel wrote:
> Am 26.08.2012 17:46, schrieb Marcus Meissner:
>> On Sun, Aug 26, 2012 at 11:50:15AM +0900, Hiroshi Miura wrote:
>>>
>>>     Windows 7 disables TLSv1.1/1.2 by default.
>>>     This patch intend to behave same as Windows.
>>
>>
>> Please do not... The newer TLSv1.x fix some shortcomings
>> of the older TLS versions.
>>
>> Is there a specific problem you see?
>>
>> Otherwise, I object.
>>
> 
> It's for http://bugs.winehq.org/show_bug.cgi?id=30598
> So it has its reason
> 

Yes it has a reason to disable TLS 1.1 1.2 by DEFAULT.
It also provide interface to enable it through registry entry,
which is same as windows does.

I also prefer to use TLS 1.1/1.2 than before SSL3.0/TLS1.0.
but here is a interoperability issue with SSL3.0/TLS 1.0 only site  and
TLS1.1/1.2 enabled Wine program.

In evernote case, client program use wininet dll instead of winhttp.
Even such a case, it should be a same behavior for registry values in
secur32/schannel, wininet, and winhttp dlls.

I understand that wininet/winhttp has a issue to re-implement it using
schannel instead of openssl.
It means if we support a behavior disabling/enabling TLS1.1/1.2 with
registry entry for Schannel, wininet/winhttp should also have a same
behavior.

We need to add function that enable/disable TLS1.1/1.2 in
secur32/schannel according to this registry, but I've not implemented it
yet.

registry entry is like;
----
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000
-----

see http://netsekure.org/2009/10/tls-1-2-in-windiows-7/

Hiroshi

More information about the wine-devel mailing list