Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
5.14.0, 5.15.0, 6.3.0, 6.4.0
-
None
Description
Chromium has the following commandline arguments to specify what TLS versions/ciphers should be supported:
- --ssl-version-max
- --ssl-version-min
- --cipher-suite-blacklist
However, those seem to have no effect in QtWebEngine. In Chromium, it looks like they're handled in chrome/browser/prefs/chrome_command_line_pref_store.cc.
For example, launching
chromium --ssl-version-min=tls1.2 --cipher-suite-blacklist=0x000B,0x000C,0x000D,0x0011,0x0012,0x0013,0x002F,0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037,0x0038,0x0039,0x003A,0xAAAA,0x1301,0x1302,0x1303,0xc013,0xC014,0x000A,0x009C,0x009D https://browserleaks.com/ssl
will show that TLS 1.0 and 1.1 are unsupported and all non-"good" ciphers aren't listed.
Doing the same with simplebrowser doesn't have any effect.
Chromium 80 (early 2020) and other browsers will remove support for TLS 1.0 and 1.1 due to security concerns - since a QtWebEngine update to that will (probably) only happen with Qt 5.15, it should be possible for applications to do the same via commandline arguments, to avoid lagging behind with common security practices.