diff options
author | Michael Catanzaro <mcatanzaro@gnome.org> | 2019-11-18 21:10:54 +0000 |
---|---|---|
committer | Michael Catanzaro <mcatanzaro@gnome.org> | 2019-11-18 21:10:54 +0000 |
commit | 88e7529101eb1a17c82b6525951902808b5e4353 (patch) | |
tree | 532174cae83ad7c24d937ceee2f04a821b17b3a0 | |
parent | 4a57109b77c23bc13ee33cf7ae332797a3465db0 (diff) | |
parent | 9d2c949b542be9eceaae2c5bbaf33d86715b68b8 (diff) | |
download | glib-88e7529101eb1a17c82b6525951902808b5e4353.tar.gz |
Merge branch 'mcatanzaro/gtlsconnection-changes' into 'master'
Deprecate old GTlsConnection functionality even harder!
See merge request GNOME/glib!1227
-rw-r--r-- | gio/gtlsclientconnection.c | 52 | ||||
-rw-r--r-- | gio/gtlsconnection.c | 39 |
2 files changed, 38 insertions, 53 deletions
diff --git a/gio/gtlsclientconnection.c b/gio/gtlsclientconnection.c index b38fad630..e0e5945eb 100644 --- a/gio/gtlsclientconnection.c +++ b/gio/gtlsclientconnection.c @@ -103,14 +103,12 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface) /** * GTlsClientConnection:use-ssl3: * - * If %TRUE, forces the connection to use a fallback version of TLS - * or SSL, rather than trying to negotiate the best version of TLS - * to use. See g_tls_client_connection_set_use_ssl3(). + * SSL 3.0 is no longer supported. See + * g_tls_client_connection_set_use_ssl3() for details. * * Since: 2.28 * - * Deprecated: 2.56: SSL 3.0 is insecure, and this property does not - * generally enable or disable it, despite its name. + * Deprecated: 2.56: SSL 3.0 is insecure. */ g_object_interface_install_property (iface, g_param_spec_boolean ("use-ssl3", @@ -270,16 +268,14 @@ g_tls_client_connection_set_server_identity (GTlsClientConnection *conn, * g_tls_client_connection_get_use_ssl3: * @conn: the #GTlsClientConnection * - * Gets whether @conn will force the lowest-supported TLS protocol - * version rather than attempt to negotiate the highest mutually- - * supported version of TLS; see g_tls_client_connection_set_use_ssl3(). + * SSL 3.0 is no longer supported. See + * g_tls_client_connection_set_use_ssl3() for details. * - * Returns: whether @conn will use the lowest-supported TLS protocol version + * Returns: %FALSE * * Since: 2.28 * - * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not - * actually indicate whether it is enabled. + * Deprecated: 2.56: SSL 3.0 is insecure. */ gboolean g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn) @@ -289,32 +285,28 @@ g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn) g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0); g_object_get (G_OBJECT (conn), "use-ssl3", &use_ssl3, NULL); - return use_ssl3; + return FALSE; } /** * g_tls_client_connection_set_use_ssl3: * @conn: the #GTlsClientConnection - * @use_ssl3: whether to use the lowest-supported protocol version - * - * Since 2.42.1, if @use_ssl3 is %TRUE, this forces @conn to use the - * lowest-supported TLS protocol version rather than trying to properly - * negotiate the highest mutually-supported protocol version with the - * peer. Be aware that SSL 3.0 is generally disabled by the - * #GTlsBackend, so the lowest-supported protocol version is probably - * not SSL 3.0. - * - * Since 2.58, this may additionally cause an RFC 7507 fallback SCSV to - * be sent to the server, causing modern TLS servers to immediately - * terminate the connection. You should generally only use this function - * if you need to connect to broken servers that exhibit TLS protocol - * version intolerance, and when an initial attempt to connect to a - * server normally has already failed. + * @use_ssl3: a #gboolean, ignored + * + * Since GLib 2.42.1, SSL 3.0 is no longer supported. + * + * From GLib 2.42.1 through GLib 2.62, this function could be used to + * force use of TLS 1.0, the lowest-supported TLS protocol version at + * the time. In the past, this was needed to connect to broken TLS + * servers that exhibited protocol version intolerance. Such servers + * are no longer common, and using TLS 1.0 is no longer considered + * acceptable. + * + * Since GLib 2.64, this function does nothing. * * Since: 2.28 * - * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not - * generally enable or disable it, despite its name. + * Deprecated: 2.56: SSL 3.0 is insecure. */ void g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn, @@ -322,7 +314,7 @@ g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn, { g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn)); - g_object_set (G_OBJECT (conn), "use-ssl3", use_ssl3, NULL); + g_object_set (G_OBJECT (conn), "use-ssl3", FALSE, NULL); } /** diff --git a/gio/gtlsconnection.c b/gio/gtlsconnection.c index 5bdea96e5..e4ea38081 100644 --- a/gio/gtlsconnection.c +++ b/gio/gtlsconnection.c @@ -139,7 +139,8 @@ g_tls_connection_class_init (GTlsConnectionClass *klass) TRUE, G_PARAM_READWRITE | G_PARAM_CONSTRUCT | - G_PARAM_STATIC_STRINGS)); + G_PARAM_STATIC_STRINGS | + G_PARAM_DEPRECATED)); /** * GTlsConnection:database: * @@ -195,6 +196,8 @@ g_tls_connection_class_init (GTlsConnectionClass *klass) * g_tls_connection_set_rehandshake_mode(). * * Since: 2.28 + * + * Deprecated: 2.60: The rehandshake mode is ignored. */ g_object_class_install_property (gobject_class, PROP_REHANDSHAKE_MODE, g_param_spec_enum ("rehandshake-mode", @@ -730,27 +733,17 @@ g_tls_connection_get_require_close_notify (GTlsConnection *conn) * @conn: a #GTlsConnection * @mode: the rehandshaking mode * - * Sets how @conn behaves with respect to rehandshaking requests, when - * TLS 1.2 or older is in use. - * - * %G_TLS_REHANDSHAKE_NEVER means that it will never agree to - * rehandshake after the initial handshake is complete. (For a client, - * this means it will refuse rehandshake requests from the server, and - * for a server, this means it will close the connection with an error - * if the client attempts to rehandshake.) + * Since GLib 2.64, changing the rehandshake mode is no longer supported + * and will have no effect. * - * %G_TLS_REHANDSHAKE_SAFELY means that the connection will allow a - * rehandshake only if the other end of the connection supports the - * TLS `renegotiation_info` extension. This is the default behavior, - * but means that rehandshaking will not work against older + * With TLS 1.2, the connection will allow a rehandshake only if the + * other end of the connection supports the TLS `renegotiation_info` + * extension. This means that rehandshaking will not work against older * implementations that do not support that extension. * - * %G_TLS_REHANDSHAKE_UNSAFELY means that the connection will allow - * rehandshaking even without the `renegotiation_info` extension. On - * the server side in particular, this is not recommended, since it - * leaves the server open to certain attacks. However, this mode is - * necessary if you need to allow renegotiation with older client - * software. + * With TLS 1.3, rehandshaking has been removed from the TLS protocol, + * replaced by separate post-handshake authentication and rekey + * operations. * * Since: 2.28 * @@ -766,7 +759,7 @@ g_tls_connection_set_rehandshake_mode (GTlsConnection *conn, g_return_if_fail (G_IS_TLS_CONNECTION (conn)); g_object_set (G_OBJECT (conn), - "rehandshake-mode", mode, + "rehandshake-mode", G_TLS_REHANDSHAKE_SAFELY, NULL); } G_GNUC_END_IGNORE_DEPRECATIONS @@ -778,7 +771,7 @@ G_GNUC_END_IGNORE_DEPRECATIONS * Gets @conn rehandshaking mode. See * g_tls_connection_set_rehandshake_mode() for details. * - * Returns: @conn's rehandshaking mode + * Returns: %G_TLS_REHANDSHAKE_SAFELY * * Since: 2.28 * @@ -792,12 +785,12 @@ g_tls_connection_get_rehandshake_mode (GTlsConnection *conn) { GTlsRehandshakeMode mode; - g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_REHANDSHAKE_NEVER); + g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_REHANDSHAKE_SAFELY); g_object_get (G_OBJECT (conn), "rehandshake-mode", &mode, NULL); - return mode; + return G_TLS_REHANDSHAKE_SAFELY; } G_GNUC_END_IGNORE_DEPRECATIONS |