Pidgin cannot connect to amessage.de using TLS secured XMPP

Marcus Trautwig Marcus at Trautwig.de
Tue May 6 20:06:03 EDT 2008


Hi!

I think I just discovered why Pidgin suddenly fails to connect to
amessage.de (and maybe other XMPP servers) with an "SSL Handshake"
error. My Pidgin (2.4.1 from Ubuntu Hardy) uses the libnss SSL library
which only has weak ciphers activated by default:
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1084747

The amessage.de server is not satisfied with the ciphers enabled by
default and aborts the SSL/TLS handshake. You can inspect this with
Wireshark by choosing "Decode As.." from the context menu of one of the
connection packages and then selecting "SSL". On amessage.de, you have
to skip over to the "SSL Client Hello", where Pidgin claims to only
support some weak ciphers.

The attached patch also enables the strong ciphers and now it works
again! But please consider that this may break other SSL connections,
the new "SSL Client Hello" message does not look SSLv2-compatible any
more.

BTW, there is already a bug on this issue, but I did not see it appear
until Pidgin 2.4.1: http://developer.pidgin.im/ticket/1435


Kind Regards,
Marcus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-strong-ciphers.patch
Type: text/x-patch
Size: 1124 bytes
Desc: not available
URL: <http://pidgin.im/pipermail/support/attachments/20080507/db8a6714/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://pidgin.im/pipermail/support/attachments/20080507/db8a6714/attachment.sig>


More information about the Support mailing list