sslconn: Allow protocol plugins to set flags customizing SSL connection behavior
|Reported by:||haakon||Owned by:|
|Milestone:||Patches Needing Review||Component:||libpurple|
|Version:||2.10.6||Keywords:||ssl options ocs lync sipe CVE-2011-3389|
Libpurple allows protocol plugins to create SSL connections with parameters that the SSL backend (NSS, GnuTLS or whatever) uses as default. Most of the time this is sufficient, but there are services which require specific SSL settings to be able to successfully establish communication.
One such example is Microsoft OCS, that doesn't support 1/n-1 record splitting enabled by default in NSS 3.13.1 as a countermeasure for CVE-2011-3389. Since then, connection to OCS is only possible with a workaround, setting an environment variable that user has to know. Also, that variable affects every SSL connection, unnecessarily decreasing security of other than OCS SSL.
To solve the problem I propose this extension to libpurple's API that allows protocol plugins to enable or disable different flags affecting SSL connection being created (right now there is only one flag). The idea is that plugin sets the flags it requires, calls purple_ssl_connect and unsets the flags afterward so that other connections and protocols are not affected.