/pidgin/main: 7ad61c17d9bd: ssl-nss: Don't use the NSS Built-in ...

Daniel Atallah datallah at pidgin.im
Tue Jan 22 15:26:16 EST 2013 

Changeset: 7ad61c17d9bdf25fea22c5d4815768495a45d27c
Author:	 Daniel Atallah <datallah at pidgin.im>
Date:	 2013-01-22 15:25 -0500
Branch:	 release-2.x.y
URL: http://hg.pidgin.im/pidgin/main/rev/7ad61c17d9bd

Description:

ssl-nss: Don't use the NSS Built-in database at all

 * libpurple already doesn't use it when validating the server's chain against
   the list of trusted roots - the code loading nssckbi predated libpurple doing
   certificate validation.
 * this was creating a weird situation where the cert served by the server was
   being oddly overwritten in the chain by one from the built-in db.  In the
   case I noticed this, "DigiCert High Assurance EV Root CA" was set as
   self-signed in the built-in db, but the server's chain had it signed by
   "GTE CyberTrust Global Root" - apparently there are several versions of this
   cert that are cross-signed.

diffstat:

 Makefile.mingw                         |   1 -
 libpurple/plugins/ssl/Makefile.mingw   |   1 -
 libpurple/plugins/ssl/ssl-nss.c        |  10 ----------
 pidgin/win32/nsis/pidgin-installer.nsi |   1 -
 4 files changed, 0 insertions(+), 13 deletions(-)

diffs (55 lines):

diff --git a/Makefile.mingw b/Makefile.mingw
--- a/Makefile.mingw
+++ b/Makefile.mingw
@@ -68,7 +68,6 @@ EXTERNAL_DLLS = \
 	libssp-0.dll \
 	libxml2-2.dll \
 	nss3.dll \
-	nssckbi.dll \
 	nssutil3.dll \
 	saslANONYMOUS.dll \
 	saslCRAMMD5.dll \
diff --git a/libpurple/plugins/ssl/Makefile.mingw b/libpurple/plugins/ssl/Makefile.mingw
--- a/libpurple/plugins/ssl/Makefile.mingw
+++ b/libpurple/plugins/ssl/Makefile.mingw
@@ -19,7 +19,6 @@ NEEDED_DLLS = \
 			$(NSS_TOP)/lib/libplc4.dll \
 			$(NSS_TOP)/lib/libplds4.dll \
 			$(NSS_TOP)/lib/nss3.dll \
-			$(NSS_TOP)/lib/nssckbi.dll \
 			$(NSS_TOP)/lib/nssutil3.dll \
 			$(NSS_TOP)/lib/smime3.dll \
 			$(NSS_TOP)/lib/softokn3.dll \
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -125,18 +125,8 @@ static gchar *get_error_text(void)
 static void
 ssl_nss_init_nss(void)
 {
-	char *lib;
 	PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 	NSS_NoDB_Init(".");
-
-	/* TODO: Fix this so autoconf does the work trying to find this lib. */
-#ifndef _WIN32
-	lib = g_strdup(LIBDIR "/libnssckbi.so");
-#else
-	lib = g_strdup("nssckbi.dll");
-#endif
-	SECMOD_AddNewModule("Builtins", lib, 0, 0);
-	g_free(lib);
 	NSS_SetDomesticPolicy();
 
 	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
diff --git a/pidgin/win32/nsis/pidgin-installer.nsi b/pidgin/win32/nsis/pidgin-installer.nsi
--- a/pidgin/win32/nsis/pidgin-installer.nsi
+++ b/pidgin/win32/nsis/pidgin-installer.nsi
@@ -643,7 +643,6 @@ Section Uninstall
     Delete "$INSTDIR\libymsg.dll"
     Delete "$INSTDIR\nss3.dll"
     Delete "$INSTDIR\nssutil3.dll"
-    Delete "$INSTDIR\nssckbi.dll"
     Delete "$INSTDIR\pidgin.dll"
     Delete "$INSTDIR\pidgin.exe"
     Delete "$INSTDIR\smime3.dll"

More information about the Commits mailing list