[Pidgin] #8061: Let the user select trusted ciphers for TLS

Pidgin trac at pidgin.im
Sun Jul 6 14:30:01 EDT 2014 

#8061: Let the user select trusted ciphers for TLS
-------------------------+------------------------
 Reporter:  ben          |       Owner:
     Type:  enhancement  |      Status:  new
Milestone:               |   Component:  libpurple
  Version:  2.5.3        |  Resolution:
 Keywords:  ssl, tls     |
-------------------------+------------------------

Comment (by belmyst):

 I've made this patch to include the above priority string.
 But according to [http://blog.lighttpd.net/gnutls-priority-strings.html],
 {{{+PFS:+NORMAL:%SSL3_RECORD_VERSION}}}
 includes several out of date or insecure ciphers:
 {{{
 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA     3DES-CBC
 SHA1
 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA       3DES-CBC
 SHA1
 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA 3DES-CBC        SHA1
 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     DHE-DSS AES-128-GCM     AEAD
 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384     DHE-DSS AES-256-GCM     AEAD
 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256        DHE-DSS CAMELLIA-128-GCM
 AEAD
 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384        DHE-DSS CAMELLIA-256-GCM
 AEAD
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS AES-128-CBC     SHA1
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256     DHE-DSS AES-128-CBC     SHA256
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS AES-256-CBC     SHA1
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256     DHE-DSS AES-256-CBC     SHA256
 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA   DHE-DSS CAMELLIA-128-CBC
 SHA1
 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256        DHE-DSS CAMELLIA-128-CBC
 SHA256
 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA   DHE-DSS CAMELLIA-256-CBC
 SHA1
 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256        DHE-DSS CAMELLIA-256-CBC
 SHA256
 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS 3DES-CBC        SHA1
 TLS_DHE_DSS_WITH_RC4_128_SHA    DHE-DSS ARCFOUR-128     SHA1
 TLS_RSA_WITH_3DES_EDE_CBC_SHA   RSA     3DES-CBC        SHA1
 TLS_RSA_WITH_RC4_128_MD5        RSA     ARCFOUR-128     MD5
 }}}
 (To decide, I used
 [https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-
 apache-nginx-and-openssl-for-forward-secrecy] and
 [https://github.com/cloudflare/sslconfig/blob/master/conf] as guides.
 I've also excluded elliptic curves not used by eg. Google Chrome and
 Firefox.)

 As a result, my priority string ended up being {{{+PFS:+NORMAL:!3DES-CBC
 :!DHE-DSS:!CURVE-SECP192R1:!CURVE-SECP224R1:!MD5:%SSL3_RECORD_VERSION}}}.

 It's my first patch here, so all and every comment is more than welcome :)

--
Ticket URL: <https://developer.pidgin.im/ticket/8061#comment:3>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list