Re: winhttp: disable TLSv1.1/1.2 by default - wine-devel

1 Sep 2012


      Hi,
Thanks André to point the discussion
On 2012年08月27日 01:56, André Hentschel wrote:
...
Am 26.08.2012 17:46, schrieb Marcus Meissner:
...
On Sun, Aug 26, 2012 at 11:50:15AM +0900, Hiroshi Miura wrote:
...
Windows 7 disables TLSv1.1/1.2 by default.
This patch intend to behave same as Windows.

Please do not... The newer TLSv1.x fix some shortcomings
of the older TLS versions.
Is there a specific problem you see?
Otherwise, I object.
It's for http://bugs.winehq.org/show_bug.cgi?id=30598
So it has its reason
Yes it has a reason to disable TLS 1.1 1.2 by DEFAULT.
It also provide interface to enable it through registry entry,
which is same as windows does.
I also prefer to use TLS 1.1/1.2 than before SSL3.0/TLS1.0.
but here is a interoperability issue with SSL3.0/TLS 1.0 only site  and
TLS1.1/1.2 enabled Wine program.
In evernote case, client program use wininet dll instead of winhttp.
Even such a case, it should be a same behavior for registry values in
secur32/schannel, wininet, and winhttp dlls.
I understand that wininet/winhttp has a issue to re-implement it using
schannel instead of openssl.
It means if we support a behavior disabling/enabling TLS1.1/1.2 with
registry entry for Schannel, wininet/winhttp should also have a same
behavior.
We need to add function that enable/disable TLS1.1/1.2 in
secur32/schannel according to this registry, but I've not implemented it
yet.
registry entry is like;
----
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000
-----
see http://netsekure.org/2009/10/tls-1-2-in-windiows-7/
Hiroshi