[Pidgin] #8061: Let the user select trusted ciphers for TLS

Pidgin trac at pidgin.im
Sat Jan 10 12:08:23 EST 2009


#8061: Let the user select trusted ciphers for TLS
------------------+---------------------------------------------------------
Reporter:  ben    |        Type:  enhancement
  Status:  new    |   Component:  libpurple  
 Version:  2.5.3  |    Keywords:  ssl, tls   
------------------+---------------------------------------------------------
 At the moment, pidgin will encrypt TLS connections using algorithms that
 can be as weak as DES:

 * With NSS, these ciphers are explicitly added to the cipher preference
 list (see ll. 142--153 in libpurple/plugins/ssl/ssl-nss.c), including DES.

 * With GnuTLS, gnutls_cipher_set_priority() isn't called, which I think
 implicitly causes the use of GnuTLS's default cipher priorities. Those
 also include old, less trusted ciphers like 3DES if I interpret
 lib/gnutls_priority.c from the official GnuTLS distribution correctly).

 This behavior enables passive attacks on the TLS encryption between client
 and server if the server only supports weak ciphers. The user should be
 able to decide which ciphers to trust, and pidgin should refuse a
 connection to a server which doesn't support any of those ciphers.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/8061>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list