Bug 765940 – Remove insecure TLS protocol version fallback support

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 765940 - Remove insecure TLS protocol version fallback support


Summary:	Remove insecure TLS protocol version fallback support


Status:	RESOLVED FIXED

Product:	libsoup
Classification:	Core
Component:	HTTP Transport
Version:	2.54.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-05-03 12:40 UTC by Michael Catanzaro
Modified:	2017-05-09 14:16 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Michael Catanzaro 2016-05-03 12:40:23 UTC

glib-networking supports insecure TLS protocol version fallback for compatibility with broken TLS servers. Recently Firefox [1] and now Chrome [2] have both removed support for these broken servers, and it's time to do so in WebKit as well. I think it's surely safe for libsoup to do this, as any affected HTTP servers are already inaccessible with major browsers. That way we won't need any changes in WebKit, and anything using libsoup will benefit. If we had this we would not have been vulnerable to e.g. the POODLE attack.

We really ought to remove insecure protocol version fallback from glib-networking, where it's implemented. But I suppose that is more likely to break something.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=583787#

Comment 1 Dan Winship 2016-05-03 18:13:06 UTC

Yup

Comment 2 Michael Catanzaro 2017-05-09 14:16:54 UTC

This was landed in https://git.gnome.org/browse/libsoup/commit/?id=205342c243ae68e3f96b6cee2a280c302f6bbc8d