HGKeeper

Only attempt to change the allowed TLS version range if it's supported.
release-2.x.y
2014-09-28, Mark Doliner

90c81031ac46

Parents 89bb3eaa33b9
Children c3e87cb60c02 6d2325070ec8

Only attempt to change the allowed TLS version range if it's supported.

The necessary functions were added in NSS 3.14.

Hopefully fixes the Jenkins build on debian-ppc64, which is apparently
using a pretty old version of NSS?
https://www.guifications.org/jenkins/view/Pidgin/job/pidgin-debian-ppc64-2.x.y/

Thanks to Tomasz for noticing that it was broken.

1 files changed, 22 insertions(+), 20 deletions(-)

+22 -20

libpurple/plugins/ssl/ssl-nss.c

~~--- a/libpurple/plugins/ssl/ssl-nss.c Sat Sep 27 22:28:08 2014 -0400~~

+++ b/libpurple/plugins/ssl/ssl-nss.c Sun Sep 28 19:07:00 2014 -0700

@@ -136,8 +136,6 @@

static void

ssl_nss_init_nss(void)

{

~~- SSLVersionRange supported, enabled;~~

-

PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);

NSS_NoDB_Init(".");

NSS_SetDomesticPolicy();

@@ -155,25 +153,29 @@

SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);

SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);

~~- /* Get the ranges of supported and enabled SSL versions */~~

~~- if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&~~

~~- (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {~~

~~- purple_debug_info("nss", "TLS supported versions: "~~

~~- "0x%04hx through 0x%04hx\n", supported.min, supported.max);~~

~~- purple_debug_info("nss", "TLS versions allowed by default: "~~

~~- "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);~~

+ if (NSS_VersionCheck("3.14")) {

+ SSLVersionRange supported, enabled;

+

+ /* Get the ranges of supported and enabled SSL versions */

+ if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&

+ (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {

+ purple_debug_info("nss", "TLS supported versions: "

+ "0x%04hx through 0x%04hx\n", supported.min, supported.max);

+ purple_debug_info("nss", "TLS versions allowed by default: "

+ "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);

~~- /* Make sure all versions of TLS supported by the local library are~~

~~- enabled. (For some reason NSS doesn't enable newer versions of TLS~~

~~- by default -- more context in ticket #15909.) */~~

~~- if (supported.max > enabled.max) {~~

~~- enabled.max = supported.max;~~

~~- if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {~~

~~- purple_debug_info("nss", "Changed allowed TLS versions to "~~

~~- "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);~~

~~- } else {~~

~~- purple_debug_error("nss", "Error setting allowed TLS versions to "~~

~~- "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);~~

+ /* Make sure all versions of TLS supported by the local library are

+ enabled. (For some reason NSS doesn't enable newer versions of TLS

+ by default -- more context in ticket #15909.) */

+ if (supported.max > enabled.max) {

+ enabled.max = supported.max;

+ if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {

+ purple_debug_info("nss", "Changed allowed TLS versions to "

+ "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);

+ } else {

+ purple_debug_error("nss", "Error setting allowed TLS versions to "

+ "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);

+ }

}

qulogic/pidgin