--- a/ChangeLog Fri Sep 12 11:11:34 2014 -0700
+++ b/ChangeLog Fri Sep 12 12:14:38 2014 -0700
@@ -10,6 +10,8 @@
* Specify a different set of encryption ciphers for TLS connections when
using GnuTLS. (elrond, belmyst, and Mark Doliner) (#8061)
+ * Don't allow SSL 3.0 (only TLS 1.0 and newer) for TLS connections when + using either GnuTLS or NSS. * Support building with the GTK+ 3.x toolkit. When configuring the
--- a/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 11:11:34 2014 -0700
+++ b/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 12:14:38 2014 -0700
@@ -160,10 +160,12 @@
purple_debug_info("nss", "TLS versions allowed by default: "
"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
- /* Make sure all versions of TLS supported by the local library are
- enabled. (For some reason NSS doesn't enable newer versions of TLS
- by default -- more context in ticket #15909.) */
- if (supported.max > enabled.max) {
+ /* Make sure SSL 3.0 is disabled (it's old and everyone should be + using at least TLS 1.0 by now), and make sure all versions of TLS + supported by the local library are enabled (for some reason NSS + doesn't enable newer versions of TLS by default -- more context in + if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) { enabled.max = supported.max;
if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
purple_debug_info("nss", "Changed allowed TLS versions to "