Opened 6 years ago

Closed 5 years ago

#15744 closed defect (fixed)

weak TLS ciphers used for connection - Windows

Reported by: fedor.brunner Owned by: datallah
Milestone: 2.10.8 Component: winpidgin (gtk)
Version: 2.10.7 Keywords:
Cc:

Description

The Windows build of Pidgin 2.10.7 (http://www.pidgin.im/download/windows/) is using the NSS library, this library supports only the old TLS v1. Please change the build so that it uses newer protocols from GnuTLS ( TLS v1.1 and 1.2)

When connecting with TLS v1 to Google XMPP server, the weaker RC4 is used, when connecting with TLS v1.2 strong AES is used.

http://crypto.stackexchange.com/questions/853/google-is-using-rc4-but-isnt-rc4-considered-unsafe https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks

Change History (2)

comment:1 Changed 6 years ago by datallah

  • Component changed from XMPP to winpidgin (gtk)
  • Milestone 2.10.8 deleted
  • Owner changed from deryni to datallah

comment:2 Changed 5 years ago by datallah

  • Milestone set to 2.10.8
  • Resolution set to fixed
  • Status changed from new to closed

In 2.10.8 we will ship NSS 3.15.2, which supports TLS 1.2.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!