Disable support for obsolete SSL cipher suites and enable support for newer ones

[itsnotabigtruck]

The NSS implementation of SSL/TLS for Pidgin currently enables only the default selection of cipher suites, plus some additional suites added to resolve #1435. The NSS defaults are highly outdated, and exclude a number of secure cipher suites added within the past 10 years while allowing obsolete 1DES and "export" suites. Additionally, NSS allows SSLv2 by default, which has known weaknesses and has been obsolete since 1996.

The attached patch enables only the available strong cipher suites using the method described at <​https://developer.mozilla.org/en/TLS_Cipher_Suite_Discovery>. SSLv2 is also disabled for all connections.

This patch as well as a version of NSS compiled with NSS_ENABLE_ECC are required to connect to servers using Elliptic Curve Cryptography (ECC). It might be necessary to recompile the build of NSS shipped with Pidgin for Windows using this option. ECC is already enabled in the NSS builds shipped by most Linux distros, though notably not Red Hat/Fedora?-based distros.

[itsnotabigtruck]

Patch

[itsnotabigtruck]

List of cipher suites (from Wireshark) enabled by the patch

[itsnotabigtruck]

I've set up a test XMPP server at ecc.endno.de that's configured with a self-signed ECDSA certificate - it should only be possible to connect to it from an ECC-capable IM client.

[elb]

This patch looks OK to me.

Who is our current SSL guru? Paul?

Ethan

[darkrain42]

Name and email address for credit/copyright?

[ildar]

@itsnotabigtruck , please.

This patch is more actual each day. Could someone apply it and add names etc. later?

ref: ​https://github.com/matrix-org/purple-matrix/issues/80

[grim]

I'll look at this soon, but we do not have a date or even time frame for 2.14 (the next release yet).

[grim]

An alternative to this was actually merged in for 2.13.0 in ​https://bitbucket.org/pidgin/main/commits/2deceb0