I've seen this in 4.0.2 and 4.0.3, Windows (don't know when it started).
The description reads as follows, which I assume to be correct: "Note: Select SSL 3.0 if you have problem connecting to old servers. Otherwise, leave it at the default value of TLS 1.0 to ensure better security."
However, SSL 3.0 is the default instead of TLS 1.0.
[Fixed] Minimum SSL version disagrees with description
Re: Minimum SSL version disagrees with description
It was TLS 1.0 as the default when it first came about due to a security bug/flaw found in chrome but i would imagine its a obsolete setting now as i would have thought chrome or the parties involved would fixed it by now in the latest releases by
disabling SSL 3.0 completely.
viewtopic.php?f=5&t=131 then http://www.slimjet.com/en/whatisnew.php scroll down to version 1.2.9.0 CRITICAL SECURITY UPDATE: Set default SSL minimum to TLS 1.0 as a response to the Poodle bites exploit of SSL 3.0
disabling SSL 3.0 completely.
viewtopic.php?f=5&t=131 then http://www.slimjet.com/en/whatisnew.php scroll down to version 1.2.9.0 CRITICAL SECURITY UPDATE: Set default SSL minimum to TLS 1.0 as a response to the Poodle bites exploit of SSL 3.0
Re: Minimum SSL version disagrees with description
Chrome did end up removing/disabling (for a while you had to use a switch to do it), but Chromium/Blink apparently didn't since if you leave Slimjet at the default of SSL3 and visit this site, it shows that it's alive and kicking:
https://www.ssllabs.com/ssltest/viewMyClient.html
No doubt you're right that most servers have deprecated it, but probably not all considering how many there are. Still, one of the TLS's would probably negotiate before SSL3 ever would, but better safe than sorry.
https://www.ssllabs.com/ssltest/viewMyClient.html
No doubt you're right that most servers have deprecated it, but probably not all considering how many there are. Still, one of the TLS's would probably negotiate before SSL3 ever would, but better safe than sorry.
Re: Minimum SSL version disagrees with description
Yes better safe than sorry but I think the ssl settings in slimjet now needs removing as it was patched in chrome/chromium 40/upwards that ssl3 is no longer available where as with slimjet because of that setting it is, so your novice/general users of slimjet are open to the vulnerable of the poodle exploit without knowing any better. Even more so as you have pointed out that the default is ssl3 not tls in their latest releases.
Sometimes its better not to know the devil you know.
Sometimes its better not to know the devil you know.
Re: Minimum SSL version disagrees with description
I think the change in Chrome/Chromium must have just been about it being disabled by default, because it is still possible via:
chrome://flags/#ssl-version-min
They probably left it there for legacy reasons--some old site that only supports SSL3, and maybe also for the uber-secure (those who want to require TLS 1.1 or even 1.2).
Since that same flag works in Slimjet too, maybe, like you say, Slimjet's additional setting can go.
chrome://flags/#ssl-version-min
They probably left it there for legacy reasons--some old site that only supports SSL3, and maybe also for the uber-secure (those who want to require TLS 1.1 or even 1.2).
Since that same flag works in Slimjet too, maybe, like you say, Slimjet's additional setting can go.
Re: Minimum SSL version disagrees with description
There is a display issue of that option here. The default value is actually TLS 1.0 but incorrectly displayed in the option settings. If you have never changed the option manually, you actually gets tls1.. But if you changed to tls 1.0 and change back to sslv3, you will get the real sslv3.
We will fix this in the next build. Thanks for pointing it out.
We will fix this in the next build. Thanks for pointing it out.
Stephen Cheng
FlashPeak Inc.
FlashPeak Inc.