/pidgin/main: f26d96f03176: Update NSS Default Cipher suites

Daniel Atallah datallah at pidgin.im
Wed Nov 5 00:10:09 EST 2014 

Changeset: f26d96f031760be47ba02af69cc9ff51a1b3fbdc
Author:	 Daniel Atallah <datallah at pidgin.im>
Date:	 2014-11-05 00:09 -0500
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/f26d96f03176

Description:

Update NSS Default Cipher suites

 * Use Firefox as a base reference, include some previously used stuff and enable various PFS certificates
 * The following certificates were previously enabled (when using NSS 3.17.1)
   and are no longer enabled:
  * Various using RC2 and MD5
  * TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  * TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  * TLS_DHE_DSS_WITH_RC4_128_SHA
  * TLS_RSA_WITH_3DES_EDE_CBC_SHA
  * TLS_RSA_WITH_RC4_128_SHA (this is probably the most controversial removal)
  * TLS_RSA_WITH_RC4_128_MD5
  * TLS_DHE_RSA_WITH_DES_CBC_SHA
  * TLS_DHE_DSS_WITH_DES_CBC_SHA

Refs #8062, Fixes #16262

diffstat:

 libpurple/plugins/ssl/ssl-nss.c |  68 ++++++++++++++++++++++++++++++++--------
 1 files changed, 54 insertions(+), 14 deletions(-)

diffs (94 lines):

diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -139,9 +139,61 @@ static gchar *get_error_text(void)
 	return ret;
 }
 
-static void ssl_nss_log_ciphers(void) {
+static const PRUint16 default_ciphers[] = {
+#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \
+		|| ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 1 )
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+# if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \
+		|| ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 2 )
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+# endif
+#endif
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* deprecated (DSS) */
+	/* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, false }, // deprecated (DSS) */
+
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,		/* deprecated (RC4) */
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 	/* deprecated (RC4) */
+
+	/* RFC 6120 Mandatory */
+	TLS_RSA_WITH_AES_128_CBC_SHA,		/* deprecated (RSA key exchange) */
+	TLS_RSA_WITH_AES_256_CBC_SHA,		/* deprecated (RSA key exchange) */
+	/* TLS_RSA_WITH_3DES_EDE_CBC_SHA, 	 deprecated (RSA key exchange, 3DES) */
+
+	0 /* end marker */
+};
+
+/* It's unfortunate we need to manage these manually,
+ * ideally NSS would choose good defaults.
+ * This is mostly based on FireFox's list:
+ * https://hg.mozilla.org/mozilla-central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */
+static void ssl_nss_init_ciphers(void) {
+	/* Disable any ciphers that NSS might have enabled by default */
 	const PRUint16 *cipher;
 	for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
+		SSL_CipherPrefSetDefault(*cipher, PR_FALSE);
+	}
+
+	/* Now only set SSL/TLS ciphers we knew about at compile time */
+	for (cipher = default_ciphers; *cipher != 0; ++cipher) {
+		SSL_CipherPrefSetDefault(*cipher, PR_TRUE);
+	}
+
+	/* Now log the available and enabled Ciphers */
+	for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
 		const PRUint16 suite = *cipher;
 		SECStatus rv;
 		PRBool enabled;
@@ -185,18 +237,7 @@ ssl_nss_init_nss(void)
 	NSS_SetDomesticPolicy();
 #endif /* NSS < 3.15.2 */
 
-	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1);
-	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1);
-	SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
-	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+	ssl_nss_init_ciphers();
 
 #if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
 	/* Get the ranges of supported and enabled SSL versions */
@@ -229,7 +270,6 @@ ssl_nss_init_nss(void)
 	_identity = PR_GetUniqueIdentity("Purple");
 	_nss_methods = PR_GetDefaultIOMethods();
 
-	ssl_nss_log_ciphers();
 }
 
 static SECStatus

More information about the Commits mailing list