[PATCH] secur32/schannel: diabled TLS1.1/1.2 by Default
Hiroshi Miura
miurahr at linux.com
Mon Sep 10 18:25:54 CDT 2012
On 20120910 18:14, Marcus Meissner wrote:
> On Mon, Sep 10, 2012 at 12:14:51AM +0900, Hiroshi Miura wrote:
>> -Set TLS1.1/1.2 disabled by Default that is
>> same as Windows 7 default.
>>
>> See registry entry for schannel and control
>> enable/disable tls versions.
>>
>> It also see grbitEnabledProtocols defined in
>> credentials that take precedence over registry.
> I think the regression issue with TLS 1.1/1.2 is the "empty fragments"
> sending, right?
>
> Perhaps we can just disable that and not all of TLS 1.1/1.2?
This patch is delivered from wininet problem.
That is a problem when client try TLS1.1/1.2 to TLS1.0 only server
and fails with SSL version alert. (incompatibility between evernote server/wine-client)
A patch for wininet disables problematic TLS1.1/1.2
by default and add interface to enable it.
I understand from my short research that
1) Windows see Schannel registry entry to control it.
2) wininet is hoped to re-implement using schannel
That's a reason, I propose a patch for schannel for consistency.
If you think a behavior is ok, that only wininet is affected from
Schannel registry and schannel/winhttp is not configurable,
it is easy to reject schennel patch.
for "empty fragments", it is workaround for BEAST vulnerbility.
It is not straight relation with above.
Hiroshi
More information about the wine-devel
mailing list