Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-80941

Chromium command line arguments for TLS versions/ciphers don't work

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P2: Important
    • None
    • 5.14.0, 5.15.0, 6.3.0, 6.4.0
    • WebEngine
    • None

    Description

      Chromium has the following commandline arguments to specify what TLS versions/ciphers should be supported:

      • --ssl-version-max
      • --ssl-version-min
      • --cipher-suite-blacklist

      However, those seem to have no effect in QtWebEngine. In Chromium, it looks like they're handled in chrome/browser/prefs/chrome_command_line_pref_store.cc.

      For example, launching

      chromium --ssl-version-min=tls1.2 --cipher-suite-blacklist=0x000B,0x000C,0x000D,0x0011,0x0012,0x0013,0x002F,0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037,0x0038,0x0039,0x003A,0xAAAA,0x1301,0x1302,0x1303,0xc013,0xC014,0x000A,0x009C,0x009D https://browserleaks.com/ssl

      will show that TLS 1.0 and 1.1 are unsupported and all non-"good" ciphers aren't listed.

      Doing the same with simplebrowser doesn't have any effect.

      Chromium 80 (early 2020) and other browsers will remove support for TLS 1.0 and 1.1 due to security concerns - since a QtWebEngine update to that will (probably) only happen with Qt 5.15, it should be possible for applications to do the same via commandline arguments, to avoid lagging behind with common security practices.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            qt_webengine_team Qt WebEngine Team
            the compiler Florian Bruhin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes