--- a/libpurple/plugins/ssl/ssl-nss.c Wed Nov 05 00:07:54 2014 -0500
+++ b/libpurple/plugins/ssl/ssl-nss.c Wed Nov 05 00:09:52 2014 -0500
@@ -139,9 +139,61 @@
-static void ssl_nss_log_ciphers(void) {
+static const PRUint16 default_ciphers[] = { +#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \ + || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 1 ) + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, +# if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \ + || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 2 ) + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* deprecated (DSS) */ + /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, false }, // deprecated (DSS) */ + TLS_ECDHE_RSA_WITH_RC4_128_SHA, /* deprecated (RC4) */ + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, /* deprecated (RC4) */ + /* RFC 6120 Mandatory */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* deprecated (RSA key exchange) */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* deprecated (RSA key exchange) */ + /* TLS_RSA_WITH_3DES_EDE_CBC_SHA, deprecated (RSA key exchange, 3DES) */ +/* It's unfortunate we need to manage these manually, + * ideally NSS would choose good defaults. + * This is mostly based on FireFox's list: + * https://hg.mozilla.org/mozilla-central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */ +static void ssl_nss_init_ciphers(void) { + /* Disable any ciphers that NSS might have enabled by default */ for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
+ SSL_CipherPrefSetDefault(*cipher, PR_FALSE); + /* Now only set SSL/TLS ciphers we knew about at compile time */ + for (cipher = default_ciphers; *cipher != 0; ++cipher) { + SSL_CipherPrefSetDefault(*cipher, PR_TRUE); + /* Now log the available and enabled Ciphers */ + for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) { const PRUint16 suite = *cipher;
@@ -185,18 +237,7 @@
#endif /* NSS < 3.15.2 */
- SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+ ssl_nss_init_ciphers(); #if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
/* Get the ranges of supported and enabled SSL versions */
@@ -229,7 +270,6 @@
_identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();