[Pidgin] #11616: GnuTLS: Allow the setting of priorities to work with SSL-only servers
Pidgin
trac at pidgin.im
Wed Mar 31 20:15:36 EDT 2010
#11616: GnuTLS: Allow the setting of priorities to work with SSL-only servers
--------------------+-------------------------------------------------------
Reporter: skayser | Type: enhancement
Status: new | Component: libpurple
Version: 2.6.6 | Keywords:
--------------------+-------------------------------------------------------
I am filing this bug/feature request for tracking purposes after having
spoken to Paul Aurich (darkrain42) about
[http://pidgin.im/pipermail/support/2010-March/007124.html the problem on
the help mailing list] and in a private follow-up conversation.
Pidgin when built against GnuTLS can't connect to servers which only seem
to speak SSLv3, but not TLS 1.x (could also be a buggy server-side SSL/TLS
implementation). The output from gnutls-cli-debug for the relevant server
contains among other information the notice that '''TLS 1.0 shall be
disabled client-side''', but currently Pidgin doesn't offer such a control
yet.
{{{
Resolving 'xmpp.company.com'...
Connecting to 'x.x.x.x:5223'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... failed
Checking for version rollback bug in RSA PMS... yes
Checking for version rollback bug in Client Hello... N/A
Checking whether we need to disable TLS 1.0... yes
Checking whether the server ignores the RSA PMS version... yes
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0
spec... yes
Checking whether the server can accept a bogus TLS record version in the
client hello... no
Checking for trusted CAs...
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info...
Checking for anonymous authentication support... yes
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... no
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... no
Checking for CAMELLIA cipher support (TLS extension)... no
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for LZO compression support (GnuTLS extension)... no
Checking for max record size (TLS extension)... no
Checking for SRP authentication support (TLS extension)... no
Checking for OpenPGP authentication support (TLS extension)... no
}}}
According to [http://old.nabble.com/TLS1.1-handshake-problem
-%28demonstrated-with-gnutls-cli%29-td25913464.html a thread on the
GnuTLS-dev list revolving around the same problem], GnuTLS offers
priorities which Pidgin (or any other app for that matter) could use to
selectively enable/disable GnuTLS features.
Would be very helpful to have this as a user-controllable feature in
Pidgin. In our conversation, Paul mentioned the possibility of a
PURPLE_GNUTLS_* environment variable for setting GnuTLS prios. This would
not only do the job from a user perspective but also be easily to
administer from a central administration point of view.
--
Ticket URL: <http://developer.pidgin.im/ticket/11616>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list