Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsre

pan-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsre

From:	Petr Kovar
Subject:	Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?
Date:	Mon, 24 Jul 2017 22:02:44 +0200

On Thu, 6 Jul 2017 19:40:58 +0200
Detlef Graef <address@hidden> wrote:

> Am 06.07.2017 um 04:30 schrieb Duncan:
> > Duncan posted on Thu, 06 Jul 2017 01:14:18 +0000 as excerpted:
> > 
> >> FWIW I think the optimum, if it's not too difficult to achieve, would be
> >> to let it be auto-negotiated, of course favoring the newer versions if
> >> the server supports them as well.  If getting the negotiation right is
> >> too difficult, I'd suggest making it configurable, at /least/ via file,
> >> but of course I'd personally prefer gui.
> > 
> > Thinking about it a bit more...
> > 
> > Even better would be auto-negotiation, but with a configured minimum 
> > version, which would of course default to 1.0 for backward compatibility, 
> > but users could up that to 1.3 or whatever if they knew their provider 
> > supported it.  Then if pan couldn't negotiate the configured minimum, 
> > instead of falling back to something less secure it'd hard-fail.
> > 
> > Then the configuration could be servers.xml only without either 
> > regression if only the existing 1.0 was server-supported, or too big a 
> > security compromise if higher was, because the auto-negotiation would 
> > then get that, for gui-only users.
> > 
> > I believe that'd be my ideal, with gui or no-gui config left up to a vote 
> > here or the person doing the patch, I guess.
> 
> The GnuTLS library does auto-negotiation.
> 
> It is possible to set the TLS version to "VERS-TLS-ALL" then the TLS
> version is auto-negotiated. Other parameters can be set too.
> 
> For a quick test I have replaced line number 813 in the file
> socket-impl-openssl.cc with the following line:
> 
>  
> "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+COMP-ALL:+KX-ALL:SIGN-ALL:+CURVE-ALL:+CTYPE-ALL:+MAC-ALL",
>  NULL);
> 
> This enables all TLS versions (1.0, 1.1, 1.2) and all other options.
> 
> See: https://gnutls.org/manual/html_node/Priority-Strings.html
> 
> After building Pan with gnu-tls option enabled everything seems to work
> in my setup.

Detlef's patch addressing this landed in master yesterday. Please test it
and report back should there be any secure connection issues.

Thanks!

Cheers,
pk

[Prev in Thread]

Current Thread

[Next in Thread]

[Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, neutral2016, 2017/07/04
- Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, Duncan, 2017/07/04
- Message not available
  - Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, Duncan, 2017/07/05
    - Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, Duncan, 2017/07/05
    - Message not available
    - Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, Duncan, 2017/07/06
    - Message not available
    - Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, Steve Davies, 2017/07/07
    - Message not available
    - Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?, Petr Kovar <=

Prev by Date: [Pan-users] ANN: Pan 0.142 "He slipped to Sam a double gin"
Next by Date: [Pan-users] Size of Toolbar icons; canot read 'tooltips' text
Previous by thread: Re: [Pan-users] [feature-request] Implement newer TLS Version in neawsreader pan?
Next by thread: Re: [Pan-users] Deprecated libgnome-keyring
Index(es):
- Date
- Thread