HGKeeper

Disable SSL 3.0 when using NSS.

2014-09-12, Mark Doliner

63d2b56900d6

Disable SSL 3.0 when using NSS.

And add a note about this to ChangeLog (for both NSS and GnuTLS, which I
already committed recently).

+2 -0

+6 -4

~~--- a/ChangeLog Fri Sep 12 11:11:34 2014 -0700~~

+++ b/ChangeLog Fri Sep 12 12:14:38 2014 -0700

@@ -10,6 +10,8 @@

libpurple:

* Specify a different set of encryption ciphers for TLS connections when

using GnuTLS. (elrond, belmyst, and Mark Doliner) (#8061)

+ * Don't allow SSL 3.0 (only TLS 1.0 and newer) for TLS connections when

+ using either GnuTLS or NSS.

Pidgin:

* Support building with the GTK+ 3.x toolkit. When configuring the

~~--- a/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 11:11:34 2014 -0700~~

+++ b/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 12:14:38 2014 -0700

@@ -160,10 +160,12 @@

purple_debug_info("nss", "TLS versions allowed by default: "

"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);

~~- /* Make sure all versions of TLS supported by the local library are~~

~~- enabled. (For some reason NSS doesn't enable newer versions of TLS~~

~~- by default -- more context in ticket #15909.) */~~

~~- if (supported.max > enabled.max) {~~

+ /* Make sure SSL 3.0 is disabled (it's old and everyone should be

+ using at least TLS 1.0 by now), and make sure all versions of TLS

+ supported by the local library are enabled (for some reason NSS

+ doesn't enable newer versions of TLS by default -- more context in

+ ticket #15909). */

+ if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {

enabled.max = supported.max;

if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {

purple_debug_info("nss", "Changed allowed TLS versions to "