Opened 5 years ago

Last modified 5 years ago

#14668 new patch

Disable support for obsolete SSL cipher suites and enable support for newer ones

Reported by: itsnotabigtruck Owned by: darkrain42
Milestone: Component: libpurple
Version: 2.10.0 Keywords: tls ssl nss ciphers
Cc:

Description

The NSS implementation of SSL/TLS for Pidgin currently enables only the default selection of cipher suites, plus some additional suites added to resolve #1435. The NSS defaults are highly outdated, and exclude a number of secure cipher suites added within the past 10 years while allowing obsolete 1DES and "export" suites. Additionally, NSS allows SSLv2 by default, which has known weaknesses and has been obsolete since 1996.

The attached patch enables only the available strong cipher suites using the method described at <https://developer.mozilla.org/en/TLS_Cipher_Suite_Discovery>. SSLv2 is also disabled for all connections.

This patch as well as a version of NSS compiled with NSS_ENABLE_ECC are required to connect to servers using Elliptic Curve Cryptography (ECC). It might be necessary to recompile the build of NSS shipped with Pidgin for Windows using this option. ECC is already enabled in the NSS builds shipped by most Linux distros, though notably not Red Hat/Fedora?-based distros.

Attachments (2)

nss-cipher-suites.patch (2.3 KB) - added by itsnotabigtruck 5 years ago.
Patch
cslist.png (42.2 KB) - added by itsnotabigtruck 5 years ago.
List of cipher suites (from Wireshark) enabled by the patch

Download all attachments as: .zip

Change History (5)

Changed 5 years ago by itsnotabigtruck

Patch

Changed 5 years ago by itsnotabigtruck

List of cipher suites (from Wireshark) enabled by the patch

comment:1 Changed 5 years ago by itsnotabigtruck

I've set up a test XMPP server at ecc.endno.de that's configured with a self-signed ECDSA certificate - it should only be possible to connect to it from an ECC-capable IM client.

comment:2 Changed 5 years ago by elb

  • Owner set to darkrain42

This patch looks OK to me.

Who is our current SSL guru? Paul?

Ethan

comment:3 Changed 5 years ago by darkrain42

Name and email address for credit/copyright?

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!