--- a/ChangeLog Mon Jul 07 23:59:49 2014 -0700
+++ b/ChangeLog Thu Oct 09 20:56:08 2014 -0700
@@ -1,6 +1,10 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+ * Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and libpurple3 compatibility:
* Encrypted account passwords are preserved until the new one is set.
* Fix loading Google Talk and Facebook XMPP accounts.
@@ -10,7 +14,7 @@
user installs a smiley theme via drag-and-drop. (Discovered by Yves
Younan of Sourcefire VRT)
* Updates to dependencies:
- * NSS 3.16 and NSPR 4.10.4+ * NSS 3.17.1 and NSPR 4.10.7 * Fix build against Python 3. (Ed Catmur) (#15969)
@@ -247,7 +251,7 @@
this issue and suggesting solutions. (#15277)
* Updates to a number of dependencies, some of which have security
related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
- for identifying the vulnerable libraries and to Dieter Verfaillie + for identifying the vulnerable libraries and to Dieter Verfaillie for helping getting the libraries updated. (#14571, #15285, #15286)
--- a/Makefile.mingw Mon Jul 07 23:59:49 2014 -0700
+++ b/Makefile.mingw Thu Oct 09 20:56:08 2014 -0700
@@ -33,12 +33,21 @@
GTK_INSTALL_VERSION = 2.16.6.2
+authenticode_sign = $(SIGNTOOL) sign \ + /f "$(SIGNTOOL_PFX)" /p "$(SIGNTOOL_PASSWORD)" \ + /d $(2) /du "https://pidgin.im" \ + /tr "http://timestamp.comodoca.com/rfc3161" /td SHA256 \ authenticode_sign = $(MONO_SIGNCODE) \
-spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
-n "$(2)" -i "https://pidgin.im" \
-t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
gpg_sign = $(GPG_SIGN) -ab $(1) && $(GPG_SIGN) --verify $(1).asc
--- a/libpurple/plugins/ssl/ssl-nss.c Mon Jul 07 23:59:49 2014 -0700
+++ b/libpurple/plugins/ssl/ssl-nss.c Thu Oct 09 20:56:08 2014 -0700
@@ -32,6 +32,9 @@
+/* WINDDK_BUILD is defined because the checks around usage of + * intrisic functions are wrong in nspr */ /* TODO: Why is this done?
@@ -133,6 +136,10 @@
+#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 ) + SSLVersionRange supported, enabled; +#endif /* NSS >= 3.14 */ PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
@@ -150,6 +157,31 @@
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 ) + /* Get the ranges of supported and enabled SSL versions */ + if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) && + (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) { + purple_debug_info("nss", "TLS supported versions: " + "0x%04hx through 0x%04hx\n", supported.min, supported.max); + purple_debug_info("nss", "TLS versions allowed by default: " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); + /* Make sure all versions of TLS supported by the local library are + enabled. (For some reason NSS doesn't enable newer versions of TLS + by default -- more context in ticket #15909.) */ + if (supported.max > enabled.max) { + enabled.max = supported.max; + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) { + purple_debug_info("nss", "Changed allowed TLS versions to " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); + purple_debug_error("nss", "Error setting allowed TLS versions to " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); +#endif /* NSS >= 3.14 */ _identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();
--- a/libpurple/win32/global.mak Mon Jul 07 23:59:49 2014 -0700
+++ b/libpurple/win32/global.mak Thu Oct 09 20:56:08 2014 -0700
@@ -17,7 +17,7 @@
BONJOUR_TOP ?= $(WIN32_DEV_TOP)/Bonjour_SDK
LIBXML2_TOP ?= $(WIN32_DEV_TOP)/libxml2-2.9.0
MEANWHILE_TOP ?= $(WIN32_DEV_TOP)/meanwhile-1.0.2_daa3
-NSS_TOP ?= $(WIN32_DEV_TOP)/nss-3.16-nspr-4.10.4+NSS_TOP ?= $(WIN32_DEV_TOP)/nss-3.17.1-nspr-4.10.7 PERL_LIB_TOP ?= $(WIN32_DEV_TOP)/perl-5.10.0
SILC_TOOLKIT ?= $(WIN32_DEV_TOP)/silc-toolkit-1.1.10
TCL_LIB_TOP ?= $(WIN32_DEV_TOP)/tcl-8.4.5
--- a/po/de.po Mon Jul 07 23:59:49 2014 -0700
+++ b/po/de.po Thu Oct 09 20:56:08 2014 -0700
@@ -12,8 +12,8 @@
"Project-Id-Version: de\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2014-06-20 18:24+0200\n"-"PO-Revision-Date: 2014-06-20 18:23+0200\n"+"POT-Creation-Date: 2014-07-12 10:20+0200\n" +"PO-Revision-Date: 2014-07-12 10:19+0200\n" "Last-Translator: Björn Voigt <bjoern@cs.tu-berlin.de>\n"
"Language-Team: German <de@li.org>\n"
@@ -1804,11 +1804,20 @@
"dass Sie tatsächlich nicht mit dem Dienst verbunden sind, mit dem Sie "
"glauben verbunden zu sein."
+#. TODO: Find what the handle ought to be +msgid "Certificate Information" +msgstr "Zertifikat-Information" +msgid "Unable to find Issuer Certificate" +msgstr "Kann das Ausstellerzertifikat nicht finden" "Fingerprint (SHA1): %s\n"
@@ -1816,14 +1825,18 @@
"Allgemeiner Name (Common name): %s\n"
+"Herausgegeben von: %s\n" "Fingerabdruck (SHA1): %s\n"
"Aktivierungsdatum: %s\n"
-#. TODO: Find what the handle ought to be-msgid "Certificate Information"-msgstr "Zertifikat-Information"+msgstr "(selbstsigniert)" +msgid "View Issuer Certificate" +msgstr "Zeige Ausstellerzertifikat" msgid "Registration Error"
