Several changes:

 - Disabled TLS v. 1.0 and 1.1
 - idle timeout: release notes, doc fixes

ReleaseNotes.html

@@ -102,6 +102,14 @@ <h3>Path parameters</h3>
 
 <p>A feature example demonstrating this was added in <tt>examples/feature/urlparams</tt>.</p>
 
+<h3>Idle timeout</h3>
+
+<p>Added an <tt>&lt;idle-timeout&gt;</tt> option to the configuration (<tt>wt_config.xml</tt>). If set,
+<a href="classWt_1_1WApplication.html#a4e8020fca24d09661ee4bf13400354d9"><tt>WApplication::idleTimeout()</a></tt> will be triggered after the configured number of seconds.</p>
+
+<p>This is intended to prevent unauthorized people from using an active session from a
+device that's been abandoned by the user.</p>
+
 <a href="classWt_1_1WFileDropWidget.html"><h3>WFileDropWidget</h3></a>
 
 <p>Added the ability to set a
@@ -124,6 +132,9 @@ <h3>Miscellaneous improvements</h3>
     Added <tt>insertTab</tt>, <tt>itemAt</tt> and <tt>currentItem</tt> to
     <a href="classWt_1_1WTabWidget.html"><tt>WTabWidget</tt></a>
   </li>
+  <li>
+    Disabled TLS v. 1.0 and 1.1 support
+  </li>
 </ul>
 
 <h2>Release 4.0.3 (April 12, 2018)</h2>

src/Wt/Http/Client.C

@@ -937,7 +937,15 @@ bool Client::request(Http::Method method, const std::string& url,
     asio::ssl::context context
       (*ioService, asio::ssl::context::sslv23);
 #endif
-    long sslOptions = asio::ssl::context::no_sslv2 | asio::ssl::context::no_sslv3;
+    long sslOptions = asio::ssl::context::no_sslv2 |
+                      asio::ssl::context::no_sslv3 |
+                      asio::ssl::context::no_tlsv1;
+
+#if (defined(WT_ASIO_IS_BOOST_ASIO) && BOOST_VERSION >= 105800) || \
+     defined(WT_ASIO_IS_STANDALONE_ASIO)
+    sslOptions |= asio::ssl::context::no_tlsv1_1;
+#endif
+
     context.set_options(sslOptions);
 
 

src/Wt/WApplication.h

@@ -2112,8 +2112,15 @@ class WT_API WApplication : public WObject
 
   /*! \brief Idle timeout handler
    *
+   * \if cpp
    * If <tt>idle-timeout</tt> is set in the configuration, this method is called when
    * the user seems idle for the number of seconds set in <tt>idle-timeout</tt>.
+   * \elseif java
+   * If idle timeout is set in the configuration
+   * ({@link Configuration#setIdleTimeout(int)}), this
+   * method is called when the user seems idle for the number of seconds set as the
+   * idle timeout.
+   * \endif
    *
    * This feature can be useful in security sensitive applications
    * to prevent unauthorized users from taking over the session
@@ -2166,6 +2173,8 @@ class WT_API WApplication : public WObject
    * };
    * \endcode
    *
+   * \endif
+   *
    * \note The events currently counted as user activity are:
    *  - mousedown
    *  - mouseup
@@ -2176,8 +2185,6 @@ class WT_API WApplication : public WObject
    *  - touchend
    *  - pointerdown
    *  - pointerup
-   *
-   * \endif
    */
   virtual void idleTimeout();
 

src/http/Server.C

@@ -211,6 +211,12 @@ void Server::start()
     if (!config_.sslEnableV3())
       sslOptions |= asio::ssl::context::no_sslv3;
 
+    sslOptions |= asio::ssl::context::no_tlsv1;
+#if (defined(WT_ASIO_IS_BOOST_ASIO) && BOOST_VERSION >= 105800) || \
+     defined(WT_ASIO_IS_STANDALONE_ASIO)
+    sslOptions |= asio::ssl::context::no_tlsv1_1;
+#endif
+
     ssl_context_.set_options(sslOptions);
 
     if (config_.sslClientVerification() == "none") {

wt_config.xml.in

@@ -109,9 +109,9 @@
 
             <!-- Idle timeout (seconds).
 
-               When the user does not interact with the application for time,
+               When the user does not interact with the application for the set number of seconds,
                WApplication::idleTimeout() is called. By default, this
-               methods quits the application immediately, but it can be overridden
+               method quits the application immediately, but it can be overridden
                if different behaviour is desired.
 
                This feature can be used to prevent others from taking over a session