Opened 4 years ago

Last modified 4 years ago

#15247 new patch

sslconn: Allow protocol plugins to set flags customizing SSL connection behavior

Reported by: haakon Owned by:
Milestone: Patches Needing Review Component: libpurple
Version: 2.10.6 Keywords: ssl options ocs lync sipe CVE-2011-3389
Cc:

Description

Libpurple allows protocol plugins to create SSL connections with parameters that the SSL backend (NSS, GnuTLS or whatever) uses as default. Most of the time this is sufficient, but there are services which require specific SSL settings to be able to successfully establish communication.

One such example is Microsoft OCS, that doesn't support 1/n-1 record splitting enabled by default in NSS 3.13.1 as a countermeasure for CVE-2011-3389. Since then, connection to OCS is only possible with a workaround, setting an environment variable that user has to know. Also, that variable affects every SSL connection, unnecessarily decreasing security of other than OCS SSL.

To solve the problem I propose this extension to libpurple's API that allows protocol plugins to enable or disable different flags affecting SSL connection being created (right now there is only one flag). The idea is that plugin sets the flags it requires, calls purple_ssl_connect and unsets the flags afterward so that other connections and protocols are not affected.

Attachments (2)

sslconn_add_purple_ssl_set_option.patch (4.2 KB) - added by haakon 4 years ago.
sslconn_add_purple_ssl_set_option_v2.patch (4.2 KB) - added by haakon 4 years ago.
improved patch version

Download all attachments as: .zip

Change History (4)

Changed 4 years ago by haakon

Changed 4 years ago by haakon

improved patch version

comment:1 Changed 4 years ago by haakon

Just uploaded updated version of the patch, removing "else" branch from ssl_nss_connect().

When PURPLE_SSL_DISABLE_CBC_RANDOM_IV flag is not set, I found better for libpurple to preserve any default value underlying NSS library uses.

comment:2 Changed 4 years ago by Robby

  • Milestone set to Patches Needing Review
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!