Disable support for obsolete SSL cipher suites and enable support for newer ones
|Reported by:||itsnotabigtruck||Owned by:||darkrain42|
|Version:||2.10.0||Keywords:||tls ssl nss ciphers|
The NSS implementation of SSL/TLS for Pidgin currently enables only the default selection of cipher suites, plus some additional suites added to resolve #1435. The NSS defaults are highly outdated, and exclude a number of secure cipher suites added within the past 10 years while allowing obsolete 1DES and "export" suites. Additionally, NSS allows SSLv2 by default, which has known weaknesses and has been obsolete since 1996.
The attached patch enables only the available strong cipher suites using the method described at <https://developer.mozilla.org/en/TLS_Cipher_Suite_Discovery>. SSLv2 is also disabled for all connections.
This patch as well as a version of NSS compiled with NSS_ENABLE_ECC are required to connect to servers using Elliptic Curve Cryptography (ECC). It might be necessary to recompile the build of NSS shipped with Pidgin for Windows using this option. ECC is already enabled in the NSS builds shipped by most Linux distros, though notably not Red Hat/Fedora?-based distros.