Note that it’s best to actually upgrade your clients & servers to support TLSv1.2. To allow things on per-app/per-user/per-daemon basis. However, you can also create that as a separate config file and use environmental variable OPENSSL_CONF = /path/to/patched/seclevel1-openssl.cnf and use that in individual service units, daemons, apps. This is a diff against stock /etc/ssl/openssl.cnf which is the default system-wide config file which will be parsed by openssl. And how default_conf sections are appended at the end. +CipherString = how the openssl_conf stanza has to be at the very top of the file, without a section. Oid_section = -349,3 +351,11 = sha1 # algorithm to compute certificate Use at your own risk of getting hacked and all of your private data stolen. NB! This significantly decreases security & privacy and enables protocols and key sizes that are no longer deemed secure, and must not be used in production any more. This should be no issue since they were deprecated some years ago, but some inhouse ca might still use them. Another possibility would be to undefine unsupported tls versions so that compiling software that uses invalid configuration fails.Īnother side note: In ubuntu 20.04 it is also impossible by default to use “sha1” certificates. My suggestions would be change the default QSslConfiguration to Tls1_2OrLater (if not already) and append to the cipher string if TLS1_0 or TLS1_1 is requested. Since ubuntu changed defaults I do not expect qt to fix this upstream.
#Best tls versions how to#
It gives you a nice socket error -1 (qt does not know how to handle the error thrown by openssl).
That gives the strange situation where the qt api lets you force the tls version to 1.0 but in that case you essentially break everything. This disables tls < 1.2 in qt since there is no way (i checked the source code, they make it impossible) to change the security level/cipher string.
Also the default security level of 1 was raised to 2. Contrary to the default in ubuntu 20.04 tls 1.0 and 1.1 are only allowed on security level <2 instead of <4. I’m sure the blog post will explain the tecnical details but essentially in openssl you can enable tls versions and additionally there is a concept of security levels. Like many I was also hit by the seclevel change.
0 kommentar(er)
