Disable SSLv3 for QT < 5.5 #7359

pull esainane wants to merge 1 commits into bitcoin:master from esainane:patch-1 changing 1 files +18 −5
  1. esainane commented at 1:19 AM on January 17, 2016: none

    TLSv1.0 or later was already required for QT5.5 or later.

  2. Disable SSLv3 for QT < 5.5
    TLSv1.0 or later was already required for QT5.5 or later.
    06bf523225
  3. jonasschnelli added the label GUI on Jan 17, 2016
  4. jonasschnelli commented at 8:26 AM on January 17, 2016: contributor

    Thanks. Makes sense. utACK.

  5. paveljanik commented at 8:42 AM on January 17, 2016: contributor

    What about compile-time with 5.5 and runtime <5.5?

  6. MarcoFalke commented at 9:01 AM on January 17, 2016: member

    utACK 06bf523

    What about compile-time with 5.5 and runtime <5.5?

    Is this even possible?

  7. esainane commented at 9:03 AM on January 17, 2016: none

    QT delegates to openssl. SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) and similar functions would be runtime calls. If there is a way to improve upon the (current, with minimal overhead) library calls made for >=5.5, I am not aware of it.

  8. in src/qt/bitcoin.cpp:None in 06bf523225 
     547 | +        // Because of the POODLE attack it is recommended to disable SSLv3 (https://disablessl3.com/),
 548 | +        // so set SSL protocols to TLS1.0+.
 549 | +        sslconf.setProtocol(QSsl::TlsV1_0OrLater);
 550 | +#else
 551 | +        // QT versions prior to 5.5 do not have the flag for saying "TLSv1 or later" (https://bugreports.qt.io/browse/QTBUG-43168)
 552 | +        // We don't have enum values for 1.1 or 1.2, nor for whatever may come next, so we must manually go through the list and strip anything from SSLv3 or earlier
    laanwj commented at 9:17 AM on January 18, 2016:

    AFAIK this doesn't work: disabling pre-TLSv1 ciphers is orthogonal to disabling the pre-TLSv1 protocols. The ciphers are tagged with the protocol version in which they were introduced, but it isn't the ciphers that are insecure but the protocol itself. So from what I understand this will reduce the choices of cipher arbitrarily to recent ones, possibly causing incompatibilities, but will not prevent SSLv3 related attacks.

  9. laanwj commented at 12:13 PM on January 18, 2016: member

    What about compile-time with 5.5 and runtime <5.5? Is this even possible?

    No, this is not allowed. It is possible to use a newer library than the headers in most cases, but never an older.

  10. laanwj commented at 1:17 PM on January 20, 2016: member

    Closing, as I'm not convinced that this is effective (see my comment above).

  11. laanwj closed this on Jan 20, 2016
  12. DrahtBot locked this on Sep 8, 2021
Contributors
esainanejonasschnellipaveljanikMarcoFalkelaanwj
Labels
GUI
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me