Merge branch 'mcatanzaro/gtlsconnection-changes' into 'master'

Deprecate old GTlsConnection functionality even harder! See merge request GNOME/glib!1227
2024-11-09 02:46:16 +01:00 · 2019-11-18 21:10:54 +00:00 · 2019-11-18 21:10:54 +00:00 · 88e7529101
commit 88e7529101
parent 4a57109b77 9d2c949b54
2 changed files with 36 additions and 51 deletions
--- a/gio/gtlsclientconnection.c
+++ b/gio/gtlsclientconnection.c
@ -103,14 +103,12 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
  /**
   * GTlsClientConnection:use-ssl3:
   *
-   * If %TRUE, forces the connection to use a fallback version of TLS
-   * or SSL, rather than trying to negotiate the best version of TLS
-   * to use. See g_tls_client_connection_set_use_ssl3().
+   * SSL 3.0 is no longer supported. See
+   * g_tls_client_connection_set_use_ssl3() for details.
   *
   * Since: 2.28
   *
-   * Deprecated: 2.56: SSL 3.0 is insecure, and this property does not
-   * generally enable or disable it, despite its name.
+   * Deprecated: 2.56: SSL 3.0 is insecure.
   */
  g_object_interface_install_property (iface,
 				       g_param_spec_boolean ("use-ssl3",
@ -270,16 +268,14 @@ g_tls_client_connection_set_server_identity (GTlsClientConnection *conn,
 * g_tls_client_connection_get_use_ssl3:
 * @conn: the #GTlsClientConnection
 *
- * Gets whether @conn will force the lowest-supported TLS protocol
- * version rather than attempt to negotiate the highest mutually-
- * supported version of TLS; see g_tls_client_connection_set_use_ssl3().
+ * SSL 3.0 is no longer supported. See
+ * g_tls_client_connection_set_use_ssl3() for details.
 *
- * Returns: whether @conn will use the lowest-supported TLS protocol version
+ * Returns: %FALSE
 *
 * Since: 2.28
 *
- * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not
- * actually indicate whether it is enabled.
+ * Deprecated: 2.56: SSL 3.0 is insecure.
 */
 gboolean
 g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
@ -289,32 +285,28 @@ g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
  g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);

  g_object_get (G_OBJECT (conn), "use-ssl3", &use_ssl3, NULL);
-  return use_ssl3;
+  return FALSE;
 }

 /**
 * g_tls_client_connection_set_use_ssl3:
 * @conn: the #GTlsClientConnection
- * @use_ssl3: whether to use the lowest-supported protocol version
+ * @use_ssl3: a #gboolean, ignored
 *
- * Since 2.42.1, if @use_ssl3 is %TRUE, this forces @conn to use the
- * lowest-supported TLS protocol version rather than trying to properly
- * negotiate the highest mutually-supported protocol version with the
- * peer. Be aware that SSL 3.0 is generally disabled by the
- * #GTlsBackend, so the lowest-supported protocol version is probably
- * not SSL 3.0.
+ * Since GLib 2.42.1, SSL 3.0 is no longer supported.
 *
- * Since 2.58, this may additionally cause an RFC 7507 fallback SCSV to
- * be sent to the server, causing modern TLS servers to immediately
- * terminate the connection. You should generally only use this function
- * if you need to connect to broken servers that exhibit TLS protocol
- * version intolerance, and when an initial attempt to connect to a
- * server normally has already failed.
+ * From GLib 2.42.1 through GLib 2.62, this function could be used to
+ * force use of TLS 1.0, the lowest-supported TLS protocol version at
+ * the time. In the past, this was needed to connect to broken TLS
+ * servers that exhibited protocol version intolerance. Such servers
+ * are no longer common, and using TLS 1.0 is no longer considered
+ * acceptable.
+ *
+ * Since GLib 2.64, this function does nothing.
 *
 * Since: 2.28
 *
- * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not
- * generally enable or disable it, despite its name.
+ * Deprecated: 2.56: SSL 3.0 is insecure.
 */
 void
 g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
@ -322,7 +314,7 @@ g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
 {
  g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));

-  g_object_set (G_OBJECT (conn), "use-ssl3", use_ssl3, NULL);
+  g_object_set (G_OBJECT (conn), "use-ssl3", FALSE, NULL);
 }

 /**
--- a/gio/gtlsconnection.c
+++ b/gio/gtlsconnection.c
@ -139,7 +139,8 @@ g_tls_connection_class_init (GTlsConnectionClass *klass)
 							 TRUE,
 							 G_PARAM_READWRITE |
 							 G_PARAM_CONSTRUCT |
-							 G_PARAM_STATIC_STRINGS));
+							 G_PARAM_STATIC_STRINGS |
+							 G_PARAM_DEPRECATED));
  /**
   * GTlsConnection:database:
   *
@ -195,6 +196,8 @@ g_tls_connection_class_init (GTlsConnectionClass *klass)
   * g_tls_connection_set_rehandshake_mode().
   *
   * Since: 2.28
+   *
+   * Deprecated: 2.60: The rehandshake mode is ignored.
   */
  g_object_class_install_property (gobject_class, PROP_REHANDSHAKE_MODE,
 				   g_param_spec_enum ("rehandshake-mode",
@ -730,27 +733,17 @@ g_tls_connection_get_require_close_notify (GTlsConnection *conn)
 * @conn: a #GTlsConnection
 * @mode: the rehandshaking mode
 *
- * Sets how @conn behaves with respect to rehandshaking requests, when
- * TLS 1.2 or older is in use.
+ * Since GLib 2.64, changing the rehandshake mode is no longer supported
+ * and will have no effect.
 *
- * %G_TLS_REHANDSHAKE_NEVER means that it will never agree to
- * rehandshake after the initial handshake is complete. (For a client,
- * this means it will refuse rehandshake requests from the server, and
- * for a server, this means it will close the connection with an error
- * if the client attempts to rehandshake.)
- *
- * %G_TLS_REHANDSHAKE_SAFELY means that the connection will allow a
- * rehandshake only if the other end of the connection supports the
- * TLS `renegotiation_info` extension. This is the default behavior,
- * but means that rehandshaking will not work against older
+ * With TLS 1.2, the connection will allow a rehandshake only if the
+ * other end of the connection supports the TLS `renegotiation_info`
+ * extension. This means that rehandshaking will not work against older
 * implementations that do not support that extension.
 *
- * %G_TLS_REHANDSHAKE_UNSAFELY means that the connection will allow
- * rehandshaking even without the `renegotiation_info` extension. On
- * the server side in particular, this is not recommended, since it
- * leaves the server open to certain attacks. However, this mode is
- * necessary if you need to allow renegotiation with older client
- * software.
+ * With TLS 1.3, rehandshaking has been removed from the TLS protocol,
+ * replaced by separate post-handshake authentication and rekey
+ * operations.
 *
 * Since: 2.28
 *
@ -766,7 +759,7 @@ g_tls_connection_set_rehandshake_mode (GTlsConnection       *conn,
  g_return_if_fail (G_IS_TLS_CONNECTION (conn));

  g_object_set (G_OBJECT (conn),
-		"rehandshake-mode", mode,
+		"rehandshake-mode", G_TLS_REHANDSHAKE_SAFELY,
 		NULL);
 }
 G_GNUC_END_IGNORE_DEPRECATIONS
@ -778,7 +771,7 @@ G_GNUC_END_IGNORE_DEPRECATIONS
 * Gets @conn rehandshaking mode. See
 * g_tls_connection_set_rehandshake_mode() for details.
 *
- * Returns: @conn's rehandshaking mode
+ * Returns: %G_TLS_REHANDSHAKE_SAFELY
 *
 * Since: 2.28
 *
@ -792,12 +785,12 @@ g_tls_connection_get_rehandshake_mode (GTlsConnection       *conn)
 {
  GTlsRehandshakeMode mode;

-  g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_REHANDSHAKE_NEVER);
+  g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_REHANDSHAKE_SAFELY);

  g_object_get (G_OBJECT (conn),
 		"rehandshake-mode", &mode,
 		NULL);
-  return mode;
+  return G_TLS_REHANDSHAKE_SAFELY;
 }
 G_GNUC_END_IGNORE_DEPRECATIONS