[Pidgin] #14668: Disable support for obsolete SSL cipher suites and enable support for newer ones
Pidgin
trac at pidgin.im
Fri Oct 14 15:32:29 EDT 2011
#14668: Disable support for obsolete SSL cipher suites and enable support for newer
ones
----------------------------+-----------------------------------------------
Reporter: itsnotabigtruck | Type: patch
Status: new | Component: libpurple
Version: 2.10.0 | Keywords: tls ssl nss ciphers
----------------------------+-----------------------------------------------
The NSS implementation of SSL/TLS for Pidgin currently enables only the
default selection of cipher suites, plus some additional suites added to
resolve #1435. The NSS defaults are highly outdated, and exclude a number
of secure cipher suites added within the past 10 years while allowing
obsolete 1DES and "export" suites. Additionally, NSS allows SSLv2 by
default, which has known weaknesses and has been obsolete since 1996.
The attached patch enables only the available strong cipher suites using
the method described at
<https://developer.mozilla.org/en/TLS_Cipher_Suite_Discovery>. SSLv2 is
also disabled for all connections.
This patch as well as a version of NSS compiled with NSS_ENABLE_ECC are
required to connect to servers using Elliptic Curve Cryptography (ECC). It
might be necessary to recompile the build of NSS shipped with Pidgin for
Windows using this option. ECC is already enabled in the NSS builds
shipped by most Linux distros, though notably not Red Hat/Fedora-based
distros.
--
Ticket URL: <http://developer.pidgin.im/ticket/14668>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list