[Pidgin] #15861: Disable SSLv3

Pidgin trac at pidgin.im
Tue Jan 14 05:09:15 EST 2014

#15861: Disable SSLv3
 Reporter:  fedor.brunner  |       Owner:  deryni
     Type:  defect         |      Status:  new
Milestone:                 |   Component:  XMPP
  Version:  2.10.7         |  Resolution:
 Keywords:                 |

Comment (by fedor.brunner):

 TLS has a variety of security measures:

 * Protection against a downgrade of the protocol to a previous (less
 secure) version or a weaker cipher suite.
 * Numbering subsequent Application records with a sequence number and
 using this sequence number in the message authentication codes (MACs).
 * Using a message digest enhanced with a key (so only a key-holder can
 check the MAC). The HMAC construction used by most TLS cipher suites is
 specified in RFC 2104 (SSL 3.0 used a different hash-based MAC).
 * The message that ends the handshake ("Finished") sends a hash of all the
 exchanged handshake messages seen by both parties.
 * The pseudorandom function splits the input data in half and processes
 each one with a different hashing algorithm (MD5 and SHA-1), then XORs
 them together to create the MAC. This provides protection even if one of
 these algorithms is found to be vulnerable.

 MD5 was effectively broken.

Ticket URL: <https://developer.pidgin.im/ticket/15861#comment:1>
Pidgin <https://pidgin.im>

More information about the Tracker mailing list