pidgin/pidgin

Allow and prefer TLS 1.2 and 1.1 when using libnss. Patch from Elrond,
release-2.x.y
2014-08-16, Mark Doliner
f4e63e354f45
Parents b952e1fee6ac
Children a8b55b63ecbb
Allow and prefer TLS 1.2 and 1.1 when using libnss. Patch from Elrond,
with additional logging from Ashish Gupta.

Fixes #15909

FYI gnutls enables TLS 1.2 and 1.1 by default, when available, so there's
no need to mirror this change in that code.
2 files changed, 30 insertions(+), 1 deletions(-)
  • +5 -1
    ChangeLog
  • +25 -0
    libpurple/plugins/ssl/ssl-nss.c
    • --- a/ChangeLog Sat Jul 12 10:27:17 2014 +0200
    +++ b/ChangeLog Sat Aug 16 16:35:40 2014 -0700
    @@ -1,6 +1,10 @@
    Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
    version 2.10.10 (?/?/?):
    + General:
    + * Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and
    + Ashish Gupta) (#15909)
    +
    libpurple3 compatibility:
    * Encrypted account passwords are preserved until the new one is set.
    * Fix loading Google Talk and Facebook XMPP accounts.
    @@ -234,7 +238,7 @@
    this issue and suggesting solutions. (#15277)
    * Updates to a number of dependencies, some of which have security
    related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
    - for identifying the vulnerable libraries and to Dieter Verfaillie
    + for identifying the vulnerable libraries and to Dieter Verfaillie
    for helping getting the libraries updated. (#14571, #15285, #15286)
    * ATK 1.32.0-2
    * Cyrus SASL 2.1.25
    --- a/libpurple/plugins/ssl/ssl-nss.c Sat Jul 12 10:27:17 2014 +0200
    +++ b/libpurple/plugins/ssl/ssl-nss.c Sat Aug 16 16:35:40 2014 -0700
    @@ -133,6 +133,8 @@
    static void
    ssl_nss_init_nss(void)
    {
    + SSLVersionRange supported, enabled;
    +
    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
    NSS_NoDB_Init(".");
    NSS_SetDomesticPolicy();
    @@ -150,6 +152,29 @@
    SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
    SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
    + /* Get the ranges of supported and enabled SSL versions */
    + if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
    + (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
    + purple_debug_info("nss", "TLS supported versions: "
    + "%d through %d\n", supported.min, supported.max);
    + purple_debug_info("nss", "TLS versions allowed by default: "
    + "%d through %d\n", enabled.min, enabled.max);
    +
    + /* Make sure all versions of TLS supported by the local library are
    + enabled. (For some reason NSS doesn't enable newer versions of TLS
    + by default -- more context in ticket #15909.) */
    + if (supported.max > enabled.max) {
    + enabled.max = supported.max;
    + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
    + purple_debug_info("nss", "Changed allowed TLS versions to "
    + "%d through %d\n", enabled.min, enabled.max);
    + } else {
    + purple_debug_error("nss", "Error setting allowed TLS versions to "
    + "%d through %d\n", enabled.min, enabled.max);
    + }
    + }
    + }
    +
    _identity = PR_GetUniqueIdentity("Purple");
    _nss_methods = PR_GetDefaultIOMethods();
    }