[Pidgin] #17217: NSS Handshake fails with TLS1.3

Pidgin trac at pidgin.im
Wed Jun 14 08:05:01 EDT 2017

#17217: NSS Handshake fails with TLS1.3
 Reporter:  vobej   |      Owner:
     Type:  defect  |     Status:  new
Milestone:  2.12.1  |  Component:  libpurple
  Version:  2.12.0  |   Keywords:  ssl nss handshake tls1.3
 The current behavior of the ssl-nss plugin is :
 * Force NSS to use the highest available TLS version

         /* Make sure all versions of TLS supported by the local library
            enabled. (For some reason NSS doesn't enable newer versions of
            by default -- more context in ticket #15909.) */

 * Enable a whitelist of ciphers manually

 /* It's unfortunate we need to manage these manually,
  * ideally NSS would choose good defaults.
  * This is mostly based on FireFox's list:
  * https://hg.mozilla.org/mozilla-
 central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */
 static void ssl_nss_init_ciphers(void) {

 This however conflicts with TLS 1.3 test servers such as
 https://enabled.tls13.com/ and https://www.allizom.org/ as well as some
 live Cloudflare websites such as https://www.f-list.net/ (a chat network
 for which I'm maintaining a purple plugin)

 Despite the fact that those servers also support TLS1.2, setting the
 maximum version to TLS1.3 without enabling the corresponding ciphers
 yields to :

 nss: Handshake failed  (-12286)

 on NSS versions 3.29 and above (fedora 25, archlinux...)

 I have attached an example based on nullclient.c that showcases the issue,
 as well as a possible fix that enabled the TLS1.3 ciphers. Another
 solution would be to trust NSS's default list, maybe it's better nowadays
 than it was when the pidgin team decided to enabled algorithms manually ?

Ticket URL: <https://developer.pidgin.im/ticket/17217>
Pidgin <https://pidgin.im>

More information about the Tracker mailing list