Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P python-nbxmpp
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 10
    • Issues 10
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gajim
  • python-nbxmpp
  • Issues
  • #17

Closed
Open
Created Jan 27, 2014 by fedor.brunner@fedor.brunner

Ability to configure minimal supported TLS protocol version

problem

Currently python-nbxmpp supports TLS 1.0, TLS 1.1, TLS 1.2. But it doesn't allow to restrict the connections to only newest TLS 1.2 for XMPP servers which support this protocol.

According to statistic from https://xmpp.net/ 59.9% of public XMPP servers already support TLS 1.2

analysis

TLS 1.2 compared with TLS 1.1 provides more security, for example if we take into account the changes made to the PRF and the key derivation process or the replacement of the MD5/SHA-1 combination in the digitally-signed element

http://www.carbonwind.net/blog/post/Random-SSLTLS-101%E2%80%93SSLTLS-version-rollbacks-and-browsers.aspx

This has implication also on the future implementation of SCRAM-SHA-1-PLUS in Gajim #16 (closed) , because the TLS channel binding depends on PRF used to calculate the hash of TLS handshake messages.

enhancement recommendation

Add an configuration option tls_version. This option configures the lowest supported version of the TLS protocol to be used for connection.

  • Value 1.0 means use TLS 1.0, TLS 1.1, TLS 1.2 and all futher protocol version.
  • Value 1.1 means use TLS 1.1, TLS 1.2 and all futher protocol version.
  • Value 1.2 means use TLS 1.2 and all futher protocol version.
Assignee
Assign to
Time tracking