[Pidgin] #8061: Let the user select trusted ciphers for TLS
Pidgin
trac at pidgin.im
Sat Jan 10 12:08:23 EST 2009
#8061: Let the user select trusted ciphers for TLS
------------------+---------------------------------------------------------
Reporter: ben | Type: enhancement
Status: new | Component: libpurple
Version: 2.5.3 | Keywords: ssl, tls
------------------+---------------------------------------------------------
At the moment, pidgin will encrypt TLS connections using algorithms that
can be as weak as DES:
* With NSS, these ciphers are explicitly added to the cipher preference
list (see ll. 142--153 in libpurple/plugins/ssl/ssl-nss.c), including DES.
* With GnuTLS, gnutls_cipher_set_priority() isn't called, which I think
implicitly causes the use of GnuTLS's default cipher priorities. Those
also include old, less trusted ciphers like 3DES if I interpret
lib/gnutls_priority.c from the official GnuTLS distribution correctly).
This behavior enables passive attacks on the TLS encryption between client
and server if the server only supports weak ciphers. The user should be
able to decide which ciphers to trust, and pidgin should refuse a
connection to a server which doesn't support any of those ciphers.
--
Ticket URL: <http://developer.pidgin.im/ticket/8061>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list