Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-80941

Chromium command line arguments for TLS versions/ciphers don't work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: P2: Important P2: Important
    • None
    • 5.14.0, 5.15.0, 6.3.0, 6.4.0
    • WebEngine
    • None

      Chromium has the following commandline arguments to specify what TLS versions/ciphers should be supported:

      • --ssl-version-max
      • --ssl-version-min
      • --cipher-suite-blacklist

      However, those seem to have no effect in QtWebEngine. In Chromium, it looks like they're handled in chrome/browser/prefs/chrome_command_line_pref_store.cc.

      For example, launching

      chromium --ssl-version-min=tls1.2 --cipher-suite-blacklist=0x000B,0x000C,0x000D,0x0011,0x0012,0x0013,0x002F,0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037,0x0038,0x0039,0x003A,0xAAAA,0x1301,0x1302,0x1303,0xc013,0xC014,0x000A,0x009C,0x009D https://browserleaks.com/ssl

      will show that TLS 1.0 and 1.1 are unsupported and all non-"good" ciphers aren't listed.

      Doing the same with simplebrowser doesn't have any effect.

      Chromium 80 (early 2020) and other browsers will remove support for TLS 1.0 and 1.1 due to security concerns - since a QtWebEngine update to that will (probably) only happen with Qt 5.15, it should be possible for applications to do the same via commandline arguments, to avoid lagging behind with common security practices.

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            allan.jensen Allan Sandfeld Jensen
            the compiler Florian Bruhin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                There are no open Gerrit changes