/pidgin/main: f4e63e354f45: Allow and prefer TLS 1.2 and 1.1 whe...
Mark Doliner
mark at kingant.net
Sat Aug 16 19:35:21 EDT 2014
Changeset: f4e63e354f45aeee8ac3877e8f73e090c764884b
Author: Mark Doliner <mark at kingant.net>
Date: 2014-08-16 16:35 -0700
Branch: release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/f4e63e354f45
Description:
Allow and prefer TLS 1.2 and 1.1 when using libnss. Patch from Elrond,
with additional logging from Ashish Gupta.
Fixes #15909
FYI gnutls enables TLS 1.2 and 1.1 by default, when available, so there's
no need to mirror this change in that code.
diffstat:
ChangeLog | 6 +++++-
libpurple/plugins/ssl/ssl-nss.c | 25 +++++++++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletions(-)
diffs (65 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,10 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
version 2.10.10 (?/?/?):
+ General:
+ * Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and
+ Ashish Gupta) (#15909)
+
libpurple3 compatibility:
* Encrypted account passwords are preserved until the new one is set.
* Fix loading Google Talk and Facebook XMPP accounts.
@@ -234,7 +238,7 @@ version 2.10.7 (02/13/2013):
this issue and suggesting solutions. (#15277)
* Updates to a number of dependencies, some of which have security
related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
- for identifying the vulnerable libraries and to Dieter Verfaillie
+ for identifying the vulnerable libraries and to Dieter Verfaillie
for helping getting the libraries updated. (#14571, #15285, #15286)
* ATK 1.32.0-2
* Cyrus SASL 2.1.25
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -133,6 +133,8 @@ static gchar *get_error_text(void)
static void
ssl_nss_init_nss(void)
{
+ SSLVersionRange supported, enabled;
+
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
NSS_NoDB_Init(".");
NSS_SetDomesticPolicy();
@@ -150,6 +152,29 @@ ssl_nss_init_nss(void)
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+ /* Get the ranges of supported and enabled SSL versions */
+ if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
+ (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
+ purple_debug_info("nss", "TLS supported versions: "
+ "%d through %d\n", supported.min, supported.max);
+ purple_debug_info("nss", "TLS versions allowed by default: "
+ "%d through %d\n", enabled.min, enabled.max);
+
+ /* Make sure all versions of TLS supported by the local library are
+ enabled. (For some reason NSS doesn't enable newer versions of TLS
+ by default -- more context in ticket #15909.) */
+ if (supported.max > enabled.max) {
+ enabled.max = supported.max;
+ if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
+ purple_debug_info("nss", "Changed allowed TLS versions to "
+ "%d through %d\n", enabled.min, enabled.max);
+ } else {
+ purple_debug_error("nss", "Error setting allowed TLS versions to "
+ "%d through %d\n", enabled.min, enabled.max);
+ }
+ }
+ }
+
_identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();
}
More information about the Commits
mailing list