Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require TLS 1.3 on client-facing ports #454

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Require TLS 1.3 on client-facing ports #454

wants to merge 1 commit into from

Conversation

link2xt
Copy link
Contributor

@link2xt link2xt commented Nov 9, 2024

I tested with -tls1_2 option
of openssl s_client
that TLS 1.2 connections
are no longer possible
on any ports except port 25.

Port 25 requires at least TLS 1.2
for encrypted connections.

@link2xt
Require TLS 1.3 on client-facing ports
e051a6f 
I tested with -tls1_2 option
of openssl s_client
that TLS 1.2 connections
are no longer possible
on any ports except port 25.

Port 25 requires at least TLS 1.2
for encrypted connections.
@hpk42
Copy link
Contributor

hpk42 commented Nov 12, 2024 via email

missytake
missytake reviewed Nov 17, 2024
View reviewed changes
Copy link
Contributor

@missytake missytake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit hesitant to approve this; some people with outdated desktop clients might have followed our instructions in https://delta.chat/en/2023-12-13-chatmail to setup a nine account. Yes, it's an unlikely scenario, but for them it would break.

And I don't see why it's necessary? Wouldn't any more recent official client use TLSv1.3 anyway? No need to force it server-side.

@link2xt
Copy link
Contributor Author

link2xt commented Nov 17, 2024

I'm a bit hesitant to approve this; some people with outdated desktop clients might have followed our instructions in https://delta.chat/en/2023-12-13-chatmail to setup a nine account. Yes, it's an unlikely scenario, but for them it would break.

We do not support non-delta chat clients and any recent client supports TLS 1.3. It has existed for more than 5 years.

And I don't see why it's necessary? Wouldn't any more recent official client use TLSv1.3 anyway? No need to force it server-side.

It makes development easier because I don't have to check if openssl-s_client or python IMAP library or core has by chance decided to connect using TLS 1.2. Security-wise this avoids downgrade attacks. TLS 1.3 downgrade protection is a hack to make it compatible with TLS 1.2 and by the time it detects downgrade it has already finished TLS 1.2 handshake, exposing server TLS certificate to middleboxes, so it's not prefect. Not having TLS 1.2 on the server makes it impossible to even start connecting with TLS 1.2.

@link2xt link2xt marked this pull request as draft November 18, 2024 14:34
@link2xt
Copy link
Contributor Author

link2xt commented Nov 18, 2024
edited
Loading

Let's postpone this until we make Delta Chat releases that use Rustls to connect to chatmail servers. Otherwise Delta Chat on Windows or macOS may not support TLS 1.3. Unlikely because macOS forces users to upgrade all the time and minimum supported version is Windows 10 due to Electron requirements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@missytake missytake missytake left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@link2xt @hpk42 @missytake