From 9d2c949b542be9eceaae2c5bbaf33d86715b68b8 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Thu, 14 Nov 2019 11:58:56 -0600 Subject: [PATCH] gtlsclientconnection: use-ssl3 is now ignored For many years after SSL 3.0 support was removed, we used this function to indicate that we should perform protocol version fallback to the lowest-supported protocol version, to workaround protocol version intolerance. Nowadays this is no longer needed, and support has been removed from glib-networking, so update the documentation. --- gio/gtlsclientconnection.c | 48 ++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/gio/gtlsclientconnection.c b/gio/gtlsclientconnection.c index b38fad630..e0e5945eb 100644 --- a/gio/gtlsclientconnection.c +++ b/gio/gtlsclientconnection.c @@ -103,14 +103,12 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface) /** * GTlsClientConnection:use-ssl3: * - * If %TRUE, forces the connection to use a fallback version of TLS - * or SSL, rather than trying to negotiate the best version of TLS - * to use. See g_tls_client_connection_set_use_ssl3(). + * SSL 3.0 is no longer supported. See + * g_tls_client_connection_set_use_ssl3() for details. * * Since: 2.28 * - * Deprecated: 2.56: SSL 3.0 is insecure, and this property does not - * generally enable or disable it, despite its name. + * Deprecated: 2.56: SSL 3.0 is insecure. */ g_object_interface_install_property (iface, g_param_spec_boolean ("use-ssl3", @@ -270,16 +268,14 @@ g_tls_client_connection_set_server_identity (GTlsClientConnection *conn, * g_tls_client_connection_get_use_ssl3: * @conn: the #GTlsClientConnection * - * Gets whether @conn will force the lowest-supported TLS protocol - * version rather than attempt to negotiate the highest mutually- - * supported version of TLS; see g_tls_client_connection_set_use_ssl3(). + * SSL 3.0 is no longer supported. See + * g_tls_client_connection_set_use_ssl3() for details. * - * Returns: whether @conn will use the lowest-supported TLS protocol version + * Returns: %FALSE * * Since: 2.28 * - * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not - * actually indicate whether it is enabled. + * Deprecated: 2.56: SSL 3.0 is insecure. */ gboolean g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn) @@ -289,32 +285,28 @@ g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn) g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0); g_object_get (G_OBJECT (conn), "use-ssl3", &use_ssl3, NULL); - return use_ssl3; + return FALSE; } /** * g_tls_client_connection_set_use_ssl3: * @conn: the #GTlsClientConnection - * @use_ssl3: whether to use the lowest-supported protocol version + * @use_ssl3: a #gboolean, ignored * - * Since 2.42.1, if @use_ssl3 is %TRUE, this forces @conn to use the - * lowest-supported TLS protocol version rather than trying to properly - * negotiate the highest mutually-supported protocol version with the - * peer. Be aware that SSL 3.0 is generally disabled by the - * #GTlsBackend, so the lowest-supported protocol version is probably - * not SSL 3.0. + * Since GLib 2.42.1, SSL 3.0 is no longer supported. * - * Since 2.58, this may additionally cause an RFC 7507 fallback SCSV to - * be sent to the server, causing modern TLS servers to immediately - * terminate the connection. You should generally only use this function - * if you need to connect to broken servers that exhibit TLS protocol - * version intolerance, and when an initial attempt to connect to a - * server normally has already failed. + * From GLib 2.42.1 through GLib 2.62, this function could be used to + * force use of TLS 1.0, the lowest-supported TLS protocol version at + * the time. In the past, this was needed to connect to broken TLS + * servers that exhibited protocol version intolerance. Such servers + * are no longer common, and using TLS 1.0 is no longer considered + * acceptable. + * + * Since GLib 2.64, this function does nothing. * * Since: 2.28 * - * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not - * generally enable or disable it, despite its name. + * Deprecated: 2.56: SSL 3.0 is insecure. */ void g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn, @@ -322,7 +314,7 @@ g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn, { g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn)); - g_object_set (G_OBJECT (conn), "use-ssl3", use_ssl3, NULL); + g_object_set (G_OBJECT (conn), "use-ssl3", FALSE, NULL); } /**