[Pidgin] #11616: GnuTLS: Allow the setting of priorities to work with SSL-only servers

Pidgin trac at pidgin.im
Wed Mar 31 20:15:36 EDT 2010


#11616: GnuTLS: Allow the setting of priorities to work with SSL-only servers
--------------------+-------------------------------------------------------
Reporter:  skayser  |        Type:  enhancement
  Status:  new      |   Component:  libpurple  
 Version:  2.6.6    |    Keywords:             
--------------------+-------------------------------------------------------
 I am filing this bug/feature request for tracking purposes after having
 spoken to Paul Aurich (darkrain42) about
 [http://pidgin.im/pipermail/support/2010-March/007124.html the problem on
 the help mailing list] and in a private follow-up conversation.

 Pidgin when built against GnuTLS can't connect to servers which only seem
 to speak SSLv3, but not TLS 1.x (could also be a buggy server-side SSL/TLS
 implementation). The output from gnutls-cli-debug for the relevant server
 contains among other information the notice that '''TLS 1.0 shall be
 disabled client-side''', but currently Pidgin doesn't offer such a control
 yet.


 {{{
 Resolving 'xmpp.company.com'...
 Connecting to 'x.x.x.x:5223'...
 Checking for TLS 1.1 support... no
 Checking fallback from TLS 1.1 to... failed
 Checking for TLS 1.0 support... no
 Checking for SSL 3.0 support... yes
 Checking for HTTPS server name... failed
 Checking for version rollback bug in RSA PMS... yes
 Checking for version rollback bug in Client Hello... N/A
 Checking whether we need to disable TLS 1.0... yes
 Checking whether the server ignores the RSA PMS version... yes
 Checking whether the server can accept Hello Extensions... yes
 Checking whether the server can accept cipher suites not in SSL 3.0
 spec... yes
 Checking whether the server can accept a bogus TLS record version in the
 client hello... no
 Checking for trusted CAs...
 Checking whether the server understands TLS closure alerts... yes
 Checking whether the server supports session resumption... no
 Checking for export-grade ciphersuite support... yes
 Checking RSA-export ciphersuite info...
 Checking for anonymous authentication support... yes
 Checking anonymous Diffie-Hellman group info... N/A
 Checking for ephemeral Diffie-Hellman support... no
 Checking ephemeral Diffie-Hellman group info... N/A
 Checking for AES cipher support (TLS extension)... no
 Checking for CAMELLIA cipher support (TLS extension)... no
 Checking for 3DES cipher support... yes
 Checking for ARCFOUR 128 cipher support... yes
 Checking for ARCFOUR 40 cipher support... yes
 Checking for MD5 MAC support... yes
 Checking for SHA1 MAC support... yes
 Checking for LZO compression support (GnuTLS extension)... no
 Checking for max record size (TLS extension)... no
 Checking for SRP authentication support (TLS extension)... no
 Checking for OpenPGP authentication support (TLS extension)... no
 }}}


 According to [http://old.nabble.com/TLS1.1-handshake-problem
 -%28demonstrated-with-gnutls-cli%29-td25913464.html a thread on the
 GnuTLS-dev list revolving around the same problem], GnuTLS offers
 priorities which Pidgin (or any other app for that matter) could use to
 selectively enable/disable GnuTLS features.

 Would be very helpful to have this as a user-controllable feature in
 Pidgin. In our conversation, Paul mentioned the possibility of a
 PURPLE_GNUTLS_* environment variable for setting GnuTLS prios. This would
 not only do the job from a user perspective but also be easily to
 administer from a central administration point of view.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/11616>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list