diff --git a/ReleaseNotes.html b/ReleaseNotes.html
index 6c89e426d6..5d76250993 100644
--- a/ReleaseNotes.html
+++ b/ReleaseNotes.html
@@ -102,6 +102,14 @@ Path parameters
A feature example demonstrating this was added in examples/feature/urlparams.
+Idle timeout
+
+Added an <idle-timeout> option to the configuration (wt_config.xml). If set,
+WApplication::idleTimeout() will be triggered after the configured number of seconds.
+
+This is intended to prevent unauthorized people from using an active session from a
+device that's been abandoned by the user.
+
WFileDropWidget
Added the ability to set a
@@ -124,6 +132,9 @@
Miscellaneous improvements
Added insertTab, itemAt and currentItem to
WTabWidget
+
+ Disabled TLS v. 1.0 and 1.1 support
+
Release 4.0.3 (April 12, 2018)
diff --git a/src/Wt/Http/Client.C b/src/Wt/Http/Client.C
index 6bb21a9587..dfc3b90734 100644
--- a/src/Wt/Http/Client.C
+++ b/src/Wt/Http/Client.C
@@ -937,7 +937,15 @@ bool Client::request(Http::Method method, const std::string& url,
asio::ssl::context context
(*ioService, asio::ssl::context::sslv23);
#endif
- long sslOptions = asio::ssl::context::no_sslv2 | asio::ssl::context::no_sslv3;
+ long sslOptions = asio::ssl::context::no_sslv2 |
+ asio::ssl::context::no_sslv3 |
+ asio::ssl::context::no_tlsv1;
+
+#if (defined(WT_ASIO_IS_BOOST_ASIO) && BOOST_VERSION >= 105800) || \
+ defined(WT_ASIO_IS_STANDALONE_ASIO)
+ sslOptions |= asio::ssl::context::no_tlsv1_1;
+#endif
+
context.set_options(sslOptions);
diff --git a/src/Wt/WApplication.h b/src/Wt/WApplication.h
index c9459bcc6b..26ed923d59 100644
--- a/src/Wt/WApplication.h
+++ b/src/Wt/WApplication.h
@@ -2112,8 +2112,15 @@ class WT_API WApplication : public WObject
/*! \brief Idle timeout handler
*
+ * \if cpp
* If idle-timeout is set in the configuration, this method is called when
* the user seems idle for the number of seconds set in idle-timeout.
+ * \elseif java
+ * If idle timeout is set in the configuration
+ * ({@link Configuration#setIdleTimeout(int)}), this
+ * method is called when the user seems idle for the number of seconds set as the
+ * idle timeout.
+ * \endif
*
* This feature can be useful in security sensitive applications
* to prevent unauthorized users from taking over the session
@@ -2166,6 +2173,8 @@ class WT_API WApplication : public WObject
* };
* \endcode
*
+ * \endif
+ *
* \note The events currently counted as user activity are:
* - mousedown
* - mouseup
@@ -2176,8 +2185,6 @@ class WT_API WApplication : public WObject
* - touchend
* - pointerdown
* - pointerup
- *
- * \endif
*/
virtual void idleTimeout();
diff --git a/src/http/Server.C b/src/http/Server.C
index ad16591fd3..9ac34071ed 100644
--- a/src/http/Server.C
+++ b/src/http/Server.C
@@ -211,6 +211,12 @@ void Server::start()
if (!config_.sslEnableV3())
sslOptions |= asio::ssl::context::no_sslv3;
+ sslOptions |= asio::ssl::context::no_tlsv1;
+#if (defined(WT_ASIO_IS_BOOST_ASIO) && BOOST_VERSION >= 105800) || \
+ defined(WT_ASIO_IS_STANDALONE_ASIO)
+ sslOptions |= asio::ssl::context::no_tlsv1_1;
+#endif
+
ssl_context_.set_options(sslOptions);
if (config_.sslClientVerification() == "none") {
diff --git a/wt_config.xml.in b/wt_config.xml.in
index 22b05df876..6a71aef21a 100644
--- a/wt_config.xml.in
+++ b/wt_config.xml.in
@@ -109,9 +109,9 @@