← Back to team overview

linuxdcpp-team team mailing list archive

  1. linuxdcpp-team team
  2. Mailing list archive
  3. Message #08219

[Bug 1381314] Re: Support TLS 1.1 and TLS 1.2

  Thread PreviousDate PreviousThread Next 
** Changed in: dcplusplus
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1381314

Title:
  Support TLS 1.1 and TLS 1.2

Status in DC++:
  Fix Committed

Bug description:
  Conveniently, all the code for this already exists in DC++. I even
  heard other DC clients support TLS 1.1 and 1.2 by now.

  I'll just quote from https://www.dfranke.us/posts/2014-10-14-how-
  poodle-happened.html regarding the SSLv3 vulnerability (to which DC++
  is immune, not supporting SSLv3):

  The only correct way to fix POODLE is to disable SSL v3.0 altogether.

  I think that last sentence will be mostly uncontroversial. Now,
  though, I am going to step onto my soapbox and say: disabling SSL v3.0
  does not go far enough. It is time to aggressively deprecate as many
  old versions of TLS as possible. POODLE is not a one-off. It exploits
  a known mistake that has bitten us before. Many more similar mistakes
  still exist in TLS v1.0, and some time very soon one of them is going
  to bite us again.

  Every revision of TLS contains fixes for dangerous errors committed by
  earlier versions. TLS v1.0 dictates the format of padding, preventing
  POODLE. v1.1 gets rid of IV-chaining, preventing BEAST. v1.2
  introduces support for AEAD ciphersuites, providing an alternative to
  the dangerous MAC-then-encrypt construct. TLS v1.3 will eliminate the
  RSA handshake protocol[29], which lacks forward secrecy.

  ...

  It’s time to put the cryptographic mistakes of the ’90s behind us.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1381314/+subscriptions

References

  Thread PreviousDate PreviousThread Next