-
Notifications
You must be signed in to change notification settings - Fork 667
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[OS X] Upgrade OSX Client to support TLSv1.2 and drop the older, dangerous protocols #5217
Comments
FYI @danimo @richmoore |
My OS X client 2.2.3 already connects via TLSv1.2 on OS X Mavericks. However, I have other ciphers still enabled (TLS >=1.0). @oparoz is your client not able to connect via TLSv1.2 at all or only if other TLS versions are disabled? |
I tested OSX client 2.2.3 on El Capitan with my webserver which serves only TLS1.2 with an ECC P256 key and it fails. |
After update to 2.2.4, I still can connect using the TLSv1.2 RSA ECDH AESGCM(256). Is there a list of supported ciphers on the client? |
My server supports only |
Perhaps we should check first, which OS support which cipher of TLSv1.2 and make sure that the NC client supports them as well. Of special interest are mature OS such as CentOS. Before we disable everything <TLSv1.2, we should perhaps issue a warning first. For some it might be a minor configuration setting but if you need to run a full upgrade on your operating system or you have to change your shared hoster that will take more time. And a non-encrypted fall-back is worse than TLSv1.0 or TLSv1.1. |
The only insecure client is the one for OSX. So if you can ban OSX from your network, do it and tighten the security of your server. TLS1.1 is still OK, but TLS 1.0 has to be avoided. |
I can't reproduce this with the 2.2.4 release and nginx.
Is this an Apache issue? |
Apparently this happens only with the Nextcloud client, because of the QT version they use on their build system (link to issue). The Owncloud client works with TLS 1.2 only setups. |
Great. The nextCloud client is just a theme anyway. |
Expected behaviour
Servers should be able to set TLSv1.2 as the minimum supported protocol
Actual behaviour
Servers which have OSX clients connecting to them need to keep TLSv1.0 enabled, which is a security risk
Steps to reproduce
Client configuration
Client version: 2.2
Operating system: OSX
The text was updated successfully, but these errors were encountered: