secur32: Take schannel backend capabilities into account when configuring enabled protocols.
Jacek Caban
jacek at codeweavers.com
Sat Mar 30 10:36:13 CDT 2013
Hi Juan,
On 03/29/13 18:19, Juan Lang wrote:
> Hi Jacek,
>
> thanks for the detailed reply.
>
> On Fri, Mar 29, 2013 at 3:02 AM, Jacek Caban <jacek at codeweavers.com
> <mailto:jacek at codeweavers.com>> wrote:
>
> Each protocol has two kinds of enable/disable flags: "enabled" and
> "disabled by default". Those have different default values for
> each protocol and there are registry setting allowing to change
> each of them. Only "enabled" protocols are used at all. This patch
> limits "enabled" protocols to those that we can really support. If
> an application asks schannel to use default set of protocols
> (which I'd expect them to do unless they have a good reason),
> schannel will use all "enabled" protocols that are not "disabled
> by default". An alternative to default set of protocols is listing
> each allowed separately.
>
> This means that if protocol is "enabled" and "disabled by default"
> it won't be used unless application explicitly asks for it. SSL2
> is such a protocol by default. Do you think we should do this
> differently?
>
>
> Yes, my suggestion here is to explicitly disable SSL2 support
> altogether. GnuTLS doesn't support it, and having behavior that
> differs between Linux and Mac can be kind of maddening. I can imagine
> something like, "embedded browser doesn't work for game X", with lots
> of "works for me" reports and the occasional "fails here too", only to
> discover that it works on Mac but not Linux. The additional cost of a
> difference in behavior doesn't seem worth it, especially when the
> protocol itself really should have died long ago.
Most of the argument could be used against enabling TLS 1.1 and TLS 1.2,
because it's not present on older Macs (nor enabled by default on
Windows), so we'll have different behaviour. That's sadly something we
have to live with. Anyway, I'm all for trying to avoid using SSL2, but
I'd like to be a bit less extreme. How about this patch:
http://source.winehq.org/patches/data/95298
With this patch, SSL2 will be completely disabled in default Wine
config, but it will be still possible to enable by registries, if
someone really needs it.
Jacek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20130330/8ba0dbd3/attachment-0001.html>
More information about the wine-devel
mailing list