Opened 6 years ago
Last modified 6 years ago
#14668 new patch
Disable support for obsolete SSL cipher suites and enable support for newer ones
| Reported by: | itsnotabigtruck | Owned by: | darkrain42 |
|---|---|---|---|
| Milestone: | Component: | libpurple | |
| Version: | 2.10.0 | Keywords: | tls ssl nss ciphers |
| Cc: |
Description
The NSS implementation of SSL/TLS for Pidgin currently enables only the default selection of cipher suites, plus some additional suites added to resolve #1435. The NSS defaults are highly outdated, and exclude a number of secure cipher suites added within the past 10 years while allowing obsolete 1DES and "export" suites. Additionally, NSS allows SSLv2 by default, which has known weaknesses and has been obsolete since 1996.
The attached patch enables only the available strong cipher suites using the method described at <https://developer.mozilla.org/en/TLS_Cipher_Suite_Discovery>. SSLv2 is also disabled for all connections.
This patch as well as a version of NSS compiled with NSS_ENABLE_ECC are required to connect to servers using Elliptic Curve Cryptography (ECC). It might be necessary to recompile the build of NSS shipped with Pidgin for Windows using this option. ECC is already enabled in the NSS builds shipped by most Linux distros, though notably not Red Hat/Fedora?-based distros.
Attachments (2)
Change History (5)
Changed 6 years ago by itsnotabigtruck
comment:1 Changed 6 years ago by itsnotabigtruck
I've set up a test XMPP server at ecc.endno.de that's configured with a self-signed ECDSA certificate - it should only be possible to connect to it from an ECC-capable IM client.
comment:2 Changed 6 years ago by elb
- Owner set to darkrain42
This patch looks OK to me.
Who is our current SSL guru? Paul?
Ethan
comment:3 Changed 6 years ago by darkrain42
Name and email address for credit/copyright?
Patch