Ability to configure minimal supported TLS protocol version
problem
Currently python-nbxmpp supports TLS 1.0, TLS 1.1, TLS 1.2. But it doesn't allow to restrict the connections to only newest TLS 1.2 for XMPP servers which support this protocol.
According to statistic from https://xmpp.net/ 59.9% of public XMPP servers already support TLS 1.2
analysis
TLS 1.2 compared with TLS 1.1 provides more security, for example if we take into account the changes made to the PRF and the key derivation process or the replacement of the MD5/SHA-1 combination in the digitally-signed element
This has implication also on the future implementation of SCRAM-SHA-1-PLUS in Gajim #16 (closed) , because the TLS channel binding depends on PRF used to calculate the hash of TLS handshake messages.
enhancement recommendation
Add an configuration option tls_version
. This option configures the lowest supported version of the TLS protocol to be used for connection.
- Value
1.0
means use TLS 1.0, TLS 1.1, TLS 1.2 and all futher protocol version. - Value
1.1
means use TLS 1.1, TLS 1.2 and all futher protocol version. - Value
1.2
means use TLS 1.2 and all futher protocol version.