Feature #1323

It doesn't seem to be possible to disable SSLv3.

Added by ddenis about 7 years ago. Updated 7 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


SSLv3 is considered harmful (see CVE-2014-3566 aka POODLE) but it seems to be used by default for QuasselCore / Client.

As far as I understand the default ssl protocol for QSslSocket is SSLv3 and TLSv1.0 (that is covered by QSsl::SecureProtocol enum value which is the default). There is a fix in Qt to not include SSLv3 in QSsl::SecureProtocols however it hasn't been released yet (and seems to be in upcoming 5.4 only -

It would be great if it is possible to enforce TLS-only connections with Quassel.

Related issues

Related to Quassel IRC - Bug #1728: Core launched with --require-ssl flag, but no certificate to load, will accept plaintext connectionsResolved2021-06-16


#1 Updated by phuzion 8 months ago

  • Related to Bug #1728: Core launched with --require-ssl flag, but no certificate to load, will accept plaintext connections added

#2 Updated by phuzion 8 months ago

Hi there. I'm going through the backlog of bugs in the queue and handling ones I think I can help out with.

I've just done a test with openssl s_client, on quasselcore built from source, and my build is only supporting TLS 1.0, 1.1 and 1.2. No SSLv3 is supported. I also tested the Fedora-packaged Quasselcore (0.13.1) and it also does not support SSLv3. I do not believe that any modern builds of Quassel support SSLv3 anymore.

In testing this bug, I also discovered #1728, which currently has a PR submitted to fix. Once that is merged, this bug should be good to close.

#3 Updated by phuzion 7 months ago

  • Status changed from New to Resolved

With #1728 resolved, I'm happy to say this bug is fully resolved. Thanks for the report!

Also available in: Atom PDF