/pidgin/main: 63d2b56900d6: Disable SSL 3.0 when using NSS.

Mark Doliner mark at kingant.net
Fri Sep 12 15:14:40 EDT 2014 

Changeset: 63d2b56900d645ced8da262811cdc336d060dfc4
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-09-12 12:14 -0700
Branch:	 default
URL: https://hg.pidgin.im/pidgin/main/rev/63d2b56900d6

Description:

Disable SSL 3.0 when using NSS.

And add a note about this to ChangeLog (for both NSS and GnuTLS, which I
already committed recently).

diffstat:

 ChangeLog                       |   2 ++
 libpurple/plugins/ssl/ssl-nss.c |  10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diffs (32 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,8 @@ version 3.0.0 (??/??/????):
 	libpurple:
 	* Specify a different set of encryption ciphers for TLS connections when
 	  using GnuTLS. (elrond, belmyst, and Mark Doliner) (#8061)
+	* Don't allow SSL 3.0 (only TLS 1.0 and newer) for TLS connections when
+	  using either GnuTLS or NSS.
 
 	Pidgin:
 	* Support building with the GTK+ 3.x toolkit.  When configuring the
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -160,10 +160,12 @@ ssl_nss_init_nss(void)
 		purple_debug_info("nss", "TLS versions allowed by default: "
 				"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
 
-		/* Make sure all versions of TLS supported by the local library are
-		   enabled. (For some reason NSS doesn't enable newer versions of TLS
-		   by default -- more context in ticket #15909.) */
-		if (supported.max > enabled.max) {
+		/* Make sure SSL 3.0 is disabled (it's old and everyone should be
+		   using at least TLS 1.0 by now), and make sure all versions of TLS
+		   supported by the local library are enabled (for some reason NSS
+		   doesn't enable newer versions of TLS by default -- more context in
+		   ticket #15909). */
+		if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {
 			enabled.max = supported.max;
 			if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
 				purple_debug_info("nss", "Changed allowed TLS versions to "

More information about the Commits mailing list