/pidgin/main: 63d2b56900d6: Disable SSL 3.0 when using NSS.
Mark Doliner
mark at kingant.net
Fri Sep 12 15:14:40 EDT 2014
Changeset: 63d2b56900d645ced8da262811cdc336d060dfc4
Author: Mark Doliner <mark at kingant.net>
Date: 2014-09-12 12:14 -0700
Branch: default
URL: https://hg.pidgin.im/pidgin/main/rev/63d2b56900d6
Description:
Disable SSL 3.0 when using NSS.
And add a note about this to ChangeLog (for both NSS and GnuTLS, which I
already committed recently).
diffstat:
ChangeLog | 2 ++
libpurple/plugins/ssl/ssl-nss.c | 10 ++++++----
2 files changed, 8 insertions(+), 4 deletions(-)
diffs (32 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,8 @@ version 3.0.0 (??/??/????):
libpurple:
* Specify a different set of encryption ciphers for TLS connections when
using GnuTLS. (elrond, belmyst, and Mark Doliner) (#8061)
+ * Don't allow SSL 3.0 (only TLS 1.0 and newer) for TLS connections when
+ using either GnuTLS or NSS.
Pidgin:
* Support building with the GTK+ 3.x toolkit. When configuring the
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -160,10 +160,12 @@ ssl_nss_init_nss(void)
purple_debug_info("nss", "TLS versions allowed by default: "
"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
- /* Make sure all versions of TLS supported by the local library are
- enabled. (For some reason NSS doesn't enable newer versions of TLS
- by default -- more context in ticket #15909.) */
- if (supported.max > enabled.max) {
+ /* Make sure SSL 3.0 is disabled (it's old and everyone should be
+ using at least TLS 1.0 by now), and make sure all versions of TLS
+ supported by the local library are enabled (for some reason NSS
+ doesn't enable newer versions of TLS by default -- more context in
+ ticket #15909). */
+ if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {
enabled.max = supported.max;
if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
purple_debug_info("nss", "Changed allowed TLS versions to "
More information about the Commits
mailing list