changeset
Allow and prefer TLS 1.2 and 1.1 when using libnss. Patch from Elrond,
Sat, 16 Aug 2014 16:35:40 -0700
- author
- Mark Doliner <mark@kingant.net>
- date
- Sat, 16 Aug 2014 16:35:40 -0700
- branch
- release-2.x.y
- changeset 36152
- f4e63e354f45
- parent 36151
- b952e1fee6ac
- child 36157
- a8b55b63ecbb
Allow and prefer TLS 1.2 and 1.1 when using libnss. Patch from Elrond,
with additional logging from Ashish Gupta.
Fixes #15909
FYI gnutls enables TLS 1.2 and 1.1 by default, when available, so there's
no need to mirror this change in that code.
| ChangeLog | file | annotate | diff | comparison | revisions | |
| libpurple/plugins/ssl/ssl-nss.c | file | annotate | diff | comparison | revisions |
--- a/ChangeLog Sat Jul 12 10:27:17 2014 +0200 +++ b/ChangeLog Sat Aug 16 16:35:40 2014 -0700 @@ -1,6 +1,10 @@ Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul version 2.10.10 (?/?/?): + General: + * Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and + Ashish Gupta) (#15909) + libpurple3 compatibility: * Encrypted account passwords are preserved until the new one is set. * Fix loading Google Talk and Facebook XMPP accounts. @@ -234,7 +238,7 @@ this issue and suggesting solutions. (#15277) * Updates to a number of dependencies, some of which have security related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen - for identifying the vulnerable libraries and to Dieter Verfaillie + for identifying the vulnerable libraries and to Dieter Verfaillie for helping getting the libraries updated. (#14571, #15285, #15286) * ATK 1.32.0-2 * Cyrus SASL 2.1.25
--- a/libpurple/plugins/ssl/ssl-nss.c Sat Jul 12 10:27:17 2014 +0200 +++ b/libpurple/plugins/ssl/ssl-nss.c Sat Aug 16 16:35:40 2014 -0700 @@ -133,6 +133,8 @@ static void ssl_nss_init_nss(void) { + SSLVersionRange supported, enabled; + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); NSS_NoDB_Init("."); NSS_SetDomesticPolicy(); @@ -150,6 +152,29 @@ SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1); SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1); + /* Get the ranges of supported and enabled SSL versions */ + if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) && + (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) { + purple_debug_info("nss", "TLS supported versions: " + "%d through %d\n", supported.min, supported.max); + purple_debug_info("nss", "TLS versions allowed by default: " + "%d through %d\n", enabled.min, enabled.max); + + /* Make sure all versions of TLS supported by the local library are + enabled. (For some reason NSS doesn't enable newer versions of TLS + by default -- more context in ticket #15909.) */ + if (supported.max > enabled.max) { + enabled.max = supported.max; + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) { + purple_debug_info("nss", "Changed allowed TLS versions to " + "%d through %d\n", enabled.min, enabled.max); + } else { + purple_debug_error("nss", "Error setting allowed TLS versions to " + "%d through %d\n", enabled.min, enabled.max); + } + } + } + _identity = PR_GetUniqueIdentity("Purple"); _nss_methods = PR_GetDefaultIOMethods(); }
