Copybara Prod has uploaded this change for review.
Switch to TLS 1.2 as minimum requirement according to https://tools.i…
…etf.org/id/draft-ietf-tls-oldversions-deprecate-06.txt
Closes https://github.com/dart-lang/sdk/pull/41135
https://github.com/dart-lang/sdk/pull/41135
GitOrigin-RevId: 8eec9354bc88881d405d78992ac05a77cbbc6929
Change-Id: Ic8340eee7fa26846302727672ca7989ce1e93c99
---
M runtime/bin/security_context.cc
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runtime/bin/security_context.cc b/runtime/bin/security_context.cc
index 5d649df..6c72825 100644
--- a/runtime/bin/security_context.cc
+++ b/runtime/bin/security_context.cc
@@ -805,7 +805,7 @@
SSLFilter::InitializeLibrary();
SSL_CTX* ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLCertContext::CertificateCallback);
- SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
SSL_CTX_set_cipher_list(ctx, "HIGH:MEDIUM");
SSLCertContext* context = new SSLCertContext(ctx);
Dart_Handle err = SetSecurityContext(args, context);
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
This change looks simple enough but I'm going to loop in a couple of team members to confirm there's no issue with this. Thanks!
Patch set 1:Commit-Queue +1
Would this be a breaking change in Fuchsia ?
Patch set 1:Code-Review +1
Ryan Macnak uploaded patch set #2 to the change originally created by Copybara Prod.
Switch to TLS 1.2 as minimum requirement according to https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-06.txt
Closes https://github.com/dart-lang/sdk/pull/41135
https://github.com/dart-lang/sdk/pull/41135
GitOrigin-RevId: 8eec9354bc88881d405d78992ac05a77cbbc6929
Change-Id: Ic8340eee7fa26846302727672ca7989ce1e93c99
---
M runtime/bin/security_context.cc
1 file changed, 1 insertion(+), 1 deletion(-)
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
This warrants a CHANGELOG entry at least.
I'm a fan of this change, in principle. I'm unclear about the exact impact, so we must not merge this until we know for sure.
We'll want to send this through the breaking change policy. It's very likely Flutter customers will run into issues with servers outside of their control. We have a social responsibility to push internet security forward so some amount of breakage should be tolerated. Chrome's plan is to remove TLS 1.0 and TLS 1.1 in the imminent Chrome 81 release <https://www.chromestatus.com/feature/5759116003770368>. We may want to synchronize with their timetable, then there would be less confusion from our customers if the page doesn't load in Chrome in the first place. On the other hand, right now such pages are loaded as Not Secure.
We'll want to do a G3 global presubmit. If any servers don't speak TLS 1.2, it could be a significant breakage if we're not ready.
Copybara Prod uploaded patch set #3 to this change.
Switch to TLS 1.2 as minimum requirement
According to https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-06.txt
GitOrigin-RevId: e1dc037c1e22996b2085e3d16427525c033bdc01
Change-Id: Ic8340eee7fa26846302727672ca7989ce1e93c99
---
M runtime/bin/security_context.cc
1 file changed, 1 insertion(+), 1 deletion(-)
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
I someone moving this forward?
Patch Set 3:
I someone moving this forward?
I see three tasks that need to be completed before this lands
I can shepherd this process and will need help from mit@ for the first one (breaking change), davidmorgan@ for the second one (G3 presubmit) and zra@ for the third one.
Sounds good. Chrome will also be making a similar change in the upcoming 84 release <https://www.chromestatus.com/feature/5759116003770368>.
Patch set 3:Code-Review +1
1 comment:
Patchset:
Step 1 : Breaking change request has been filed here https://github.com/dart-lang/sdk/issues/46875
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
1 comment:
Patchset:
What is the status of this CL?
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
Attention is currently required from: Michael Thomsen.
1 comment:
Patchset:
What is the status of this CL?
We have the breaking change request reviewed and approved, the CL is ready to land.
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
Patch set 3:Commit-Queue +2
1 comment:
Patchset:
We have the breaking change request reviewed and approved, the CL is ready to land.
Thanks, I'll merge this now!
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
Attention is currently required from: Michael Thomsen.
Michael Thomsen uploaded patch set #4 to the change originally created by Copybara Prod.
Switch to TLS 1.2 as minimum requirement
According to https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-06.txt
TEST=Not applicable, config change.
GitOrigin-RevId: e1dc037c1e22996b2085e3d16427525c033bdc01
Change-Id: Ic8340eee7fa26846302727672ca7989ce1e93c99
---
M runtime/bin/security_context.cc
1 file changed, 18 insertions(+), 1 deletion(-)
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
Attention is currently required from: Michael Thomsen.
Patch set 4:Commit-Queue +2
commi...@chromium.org submitted this change.
3 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted one.
Switch to TLS 1.2 as minimum requirement
According to https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-06.txt
TEST=Not applicable, config change.
GitOrigin-RevId: e1dc037c1e22996b2085e3d16427525c033bdc01
Change-Id: Ic8340eee7fa26846302727672ca7989ce1e93c99
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/140481
Commit-Queue: Michael Thomsen <m...@google.com>
Reviewed-by: Siva Annamalai <as...@google.com>
---
M runtime/bin/security_context.cc
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/runtime/bin/security_context.cc b/runtime/bin/security_context.cc
index d2cd927..ee431c8 100644
--- a/runtime/bin/security_context.cc
+++ b/runtime/bin/security_context.cc
@@ -807,7 +807,7 @@
SSLFilter::InitializeLibrary();
SSL_CTX* ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLCertContext::CertificateCallback);
- SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
SSL_CTX_set_cipher_list(ctx, "HIGH:MEDIUM");
SSLCertContext* context = new SSLCertContext(ctx);
Dart_Handle err = SetSecurityContext(args, context);
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
go/dart-cbuild result: SUCCESS
Details: https://goto.google.com/dart-cbuild/find/8062c4cc6719f2f3f75b2b8ca4f6bcfb7b3679f0
1 comment:
Patchset:
Changelog update in https://dart-review.googlesource.com/c/sdk/+/215404
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
1 comment:
Patchset:
Is this worth a changelog entry?
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
Yes, already underway and linked from the issue
1 comment:
Patchset:
Yes, already underway and linked from the issue
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.
👍
1 comment:
Patchset:
To view, visit change 140481. To unsubscribe, or for help writing mail filters, visit settings.