mumble-voip/mumble

[Feature Request] Prevent old user versions

Open

#4128 opened on May 3, 2020

View on GitHub
 (33 comments) (1 reaction) (0 assignees)C++ (5,642 stars) (1,062 forks)batch import
feature-requestgood first issueserver

Description

Context: Security, Privacy

Description: I would like to be able to block old versions of mumble from joining my servers.

I know this is a difficult issue (in terms of opinions), but #4001 pointed me to the fact that there are many (very) outdated versions of mumble around and it is imo a security and privacy risk for others to let them join so easily.

Like I said, some people won't like this, but I wanted to give this issue a plattform for discussion. Imo it should be the decision of a server owner.

For Reference: Many Servers (of Games, Services etc.) also don't let outdated versions join, for various reasons, including security, so it is quite common.

Alternatives:

  • I am aware of suggestVersion, but as far as I understand, that is just a notification, or am I wrong?

Open Questions:

  • What SSL/TLS versions does mumble/murmur still accept?
  • are there any messages/popups implented in the past (v.1.2 and above) that could be used for this?
    • Ban-Message? (suggested by @Krzmbrzl (comment))
    • "Access denied/Connection refused" message (not available?)

Contributor guide

Tech stack
cpp
Domain
backendsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
Familiarity with Mumble server architectureC++ developmentBasic knowledge of SSL/TLS
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the existing suggestVersion configuration in Murmur.ini and the version negotiation code. Review the linked comment from @Krzmbrzl and issue #4001. Examine the protocol handling for version checks during client connection. Determine if a configurable minimum version can be added to the server's connection acceptance logic.