[Pidgin] #17217: NSS Handshake fails with TLS1.3
Pidgin
trac at pidgin.im
Wed Jun 14 08:05:01 EDT 2017
#17217: NSS Handshake fails with TLS1.3
--------------------+--------------------------------------
Reporter: vobej | Owner:
Type: defect | Status: new
Milestone: 2.12.1 | Component: libpurple
Version: 2.12.0 | Keywords: ssl nss handshake tls1.3
--------------------+--------------------------------------
The current behavior of the ssl-nss plugin is :
* Force NSS to use the highest available TLS version
{{{
/* Make sure all versions of TLS supported by the local library
are
enabled. (For some reason NSS doesn't enable newer versions of
TLS
by default -- more context in ticket #15909.) */
}}}
* Enable a whitelist of ciphers manually
{{{
/* It's unfortunate we need to manage these manually,
* ideally NSS would choose good defaults.
* This is mostly based on FireFox's list:
* https://hg.mozilla.org/mozilla-
central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */
static void ssl_nss_init_ciphers(void) {
}}}
This however conflicts with TLS 1.3 test servers such as
https://enabled.tls13.com/ and https://www.allizom.org/ as well as some
live Cloudflare websites such as https://www.f-list.net/ (a chat network
for which I'm maintaining a purple plugin)
Despite the fact that those servers also support TLS1.2, setting the
maximum version to TLS1.3 without enabling the corresponding ciphers
yields to :
{{{
nss: Handshake failed (-12286)
}}}
on NSS versions 3.29 and above (fedora 25, archlinux...)
I have attached an example based on nullclient.c that showcases the issue,
as well as a possible fix that enabled the TLS1.3 ciphers. Another
solution would be to trust NSS's default list, maybe it's better nowadays
than it was when the pidgin team decided to enabled algorithms manually ?
--
Ticket URL: <https://developer.pidgin.im/ticket/17217>
Pidgin <https://pidgin.im>
Pidgin
More information about the Tracker
mailing list