--- a/ChangeLog Thu Sep 11 15:43:53 2014 -0700
+++ b/ChangeLog Fri Sep 12 11:11:34 2014 -0700
@@ -74,6 +74,10 @@
was an offline message. (Flavius Anton) (#2497)
+ * Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and libpurple3 compatibility:
* Encrypted account passwords are preserved until the new one is set.
* Fix loading Google Talk and Facebook XMPP accounts.
@@ -307,7 +311,7 @@
this issue and suggesting solutions. (#15277)
* Updates to a number of dependencies, some of which have security
related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
- for identifying the vulnerable libraries and to Dieter Verfaillie
+ for identifying the vulnerable libraries and to Dieter Verfaillie for helping getting the libraries updated. (#14571, #15285, #15286)
--- a/libpurple/plugins/ssl/ssl-nss.c Thu Sep 11 15:43:53 2014 -0700
+++ b/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 11:11:34 2014 -0700
@@ -133,6 +133,8 @@
+ SSLVersionRange supported, enabled; PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
@@ -150,6 +152,29 @@
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+ /* Get the ranges of supported and enabled SSL versions */ + if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) && + (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) { + purple_debug_info("nss", "TLS supported versions: " + "0x%04hx through 0x%04hx\n", supported.min, supported.max); + purple_debug_info("nss", "TLS versions allowed by default: " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); + /* Make sure all versions of TLS supported by the local library are + enabled. (For some reason NSS doesn't enable newer versions of TLS + by default -- more context in ticket #15909.) */ + if (supported.max > enabled.max) { + enabled.max = supported.max; + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) { + purple_debug_info("nss", "Changed allowed TLS versions to " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); + purple_debug_error("nss", "Error setting allowed TLS versions to " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); _identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();