synapsenstau

full TLS v1.2 support

7 posts in this topic

Hi,

 

would u like to add the complete TLS v1.2 support in your client? and not the castrate DC++ version (only AES128 and not AES256). Apex based on DC++ but they will not changing to the full enryption in the next time.

Share this post


Link to post
Share on other sites

Hi synapsenstau,

 

When you say full TLS 1.2 support, can you give examples of what you feel is missing and relevant? There are security reasons for the "castrated" cipher suite we use; in fact we actually support more ciphers than DC++ at this time, but are looking into following their lead.

 

Hope this helps.

Share this post


Link to post
Share on other sites

Hi Lee,

 

First of all, good job with the ApexDC, it's a compfortable and stable client, i have use it over 2 years without any problems.

In the next few weeks we change the TLS protocal in Luadch from TLSv1 to TLSv1.2 and i think the reason for this should be clear.

With TLSv1.2 we can use ciphers like ECDHE-RSA-AES256-GCM-SHA384 or others that only runs with TSLv1.2. In this context there are some problems we need to solve:

 

Problem 1: The most client based on DC++ (ApexDC too) and DC++ has indeed TLSv1.2 support but these guys disable it, don't ask me why^^ And so the most DC++ based clients has a disabled TLSv1.2 too (inherited). And as if that were not enough, here the next problem:

 

Problem 2: DC++ has a limitation to AES128 bit ciphers (they call them "reasonable TLS ciphersuites" no joke, here are the code: http://sourceforge.net/p/dcplusplus/code/ci/5c967fcb1ff9a0aa9886a8e65cdbfab1afe9bda4/) and yes the most DC++ based clients has this problem too (inherited).

 

Whatever, the AirDC developers disabled this imho rediculous limitation (here are the code: https://github.com/airdcpp/airgit/commit/b0826716ae4ae22fc006e5aecf06d9a2e99f7310) and supports TLSv1.2 in the new 3.00a versions too.

Here are a small list with popular clients:

 

   Windows Clients:

      DC++                TLSv1.2 Support:  YES in Version: 0.850 or higher (but uses a AES128 cipher limitation)
      AirDC++            TLSv1.2 Support:  YES in Version: 3.00a-29 or higher (no cipher limitation)
      StrongDC++      TLSv1.2 Support:  NO
      ApexDC++        TLSv1.2 Support:  NO
      RSX++              TLSv1.2 Support:  NO
      SmVDC++         TLSv1.2 Support:  NO
      DC@fe++          TLSv1.2 Support:  NO

    Linux/Unix Clients:

      jucy (uc)             TLSv1.2 Support:  YES in Version: 0.87 or higher (no cipher limitation)
      EiskaltDC++       TLSv1.2 Support:  NO
      LinuxDC++         TLSv1.2 Support:  NO
      NCurses (ncdc)  TLSv1.2 Support:  YES in Version: 1.19.1 or higher (no cipher limitation)
      AirDC Nano        TLSv1.2 Support:  NO (coming soon with no cipher limitation)

 

 

The question what i have to you Lee: Will ApexDC supports TLSv1.2 in the next version? and has it a cipher limitation like DC++?

 

 

greets pulsar

Share this post


Link to post
Share on other sites

OpenSSL has absolutely horrible default ciphers, so in that regards AirDC++'s solution is not ideal either (hello null ciphers etc.) OpenSSL has a terrible track record with its default configuration options overall.

 

Also for the record, ApexDC already has TLS 1.2. Just to add AES-256 can in fact be slightly less secure than AES-128, so there is that also.

Share this post


Link to post
Share on other sites

Which TLSv1.2 ciphers are allowed in ApexDC?

Edit: removed the listing for future, to avoid outdated information being left here, one can always find the up to date list of ciphers from the source code distribution.

Share this post


Link to post
Share on other sites