[PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default

Hiroshi Miura miurahr at linux.com
Mon Sep 10 18:25:54 CDT 2012

On 20120910 18:14, Marcus Meissner wrote:
> On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote:
>>    -Set TLS1.1/1.2 disabled by Default that is
>>     same as Windows 7 default.
>>     See registry entry for schannel and control
>>     enable/disable tls versions.
>>     It also see grbitEnabledProtocols defined in
>>     credentials that take precedence over registry.
> I think the regression issue with TLS 1.1/1.2 is the "empty fragments"
> sending, right?
> Perhaps we can just disable that and not all of TLS 1.1/1.2?

This patch is delivered from wininet problem.
That is a problem when client try TLS1.1/1.2 to TLS1.0 only server
and fails with SSL version alert. (incompatibility between evernote server/wine-client)

A patch for wininet disables problematic TLS1.1/1.2
by default and add interface to enable it.
I understand from my short research that
1) Windows see Schannel registry entry to control it.
2) wininet is hoped to re-implement using schannel

That's a reason, I propose a patch for schannel for consistency.

If you think a behavior is ok, that only wininet is affected from
Schannel registry and schannel/winhttp is not configurable,
it is easy to reject schennel patch.

for "empty fragments", it is workaround for BEAST vulnerbility.
It is not straight relation with above.


More information about the wine-devel mailing list