summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Atallah <datallah@pidgin.im>2014-11-05 00:09:52 -0500
committerDaniel Atallah <datallah@pidgin.im>2014-11-05 00:09:52 -0500
commit3dfef3c946e47c9cf7a30d5f600a1b2fb0b5dd35 (patch)
tree60d2335c0cbbfb94fad65d9319c08f8d234e9b2d
parent81b8a037092881cdf83c07276177280fd38fb84e (diff)
downloadpidgin-3dfef3c946e47c9cf7a30d5f600a1b2fb0b5dd35.tar.gz
Update NSS Default Cipher suites
* Use Firefox as a base reference, include some previously used stuff and enable various PFS certificates * The following certificates were previously enabled (when using NSS 3.17.1) and are no longer enabled: * Various using RC2 and MD5 * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA * TLS_DHE_DSS_WITH_RC4_128_SHA * TLS_RSA_WITH_3DES_EDE_CBC_SHA * TLS_RSA_WITH_RC4_128_SHA (this is probably the most controversial removal) * TLS_RSA_WITH_RC4_128_MD5 * TLS_DHE_RSA_WITH_DES_CBC_SHA * TLS_DHE_DSS_WITH_DES_CBC_SHA Refs #8062, Fixes #16262
Diffstat
-rw-r--r--libpurple/plugins/ssl/ssl-nss.c68
1 files changed, 54 insertions, 14 deletions
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
index 85335e8a04..ef00ba266f 100644
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -139,9 +139,61 @@ static gchar *get_error_text(void)
return ret;
}
-static void ssl_nss_log_ciphers(void) {
+static const PRUint16 default_ciphers[] = {
+#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \
+ || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 1 )
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+# if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \
+ || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 2 )
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+# endif
+#endif
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* deprecated (DSS) */
+ /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, false }, // deprecated (DSS) */
+
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA, /* deprecated (RC4) */
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, /* deprecated (RC4) */
+
+ /* RFC 6120 Mandatory */
+ TLS_RSA_WITH_AES_128_CBC_SHA, /* deprecated (RSA key exchange) */
+ TLS_RSA_WITH_AES_256_CBC_SHA, /* deprecated (RSA key exchange) */
+ /* TLS_RSA_WITH_3DES_EDE_CBC_SHA, deprecated (RSA key exchange, 3DES) */
+
+ 0 /* end marker */
+};
+
+/* It's unfortunate we need to manage these manually,
+ * ideally NSS would choose good defaults.
+ * This is mostly based on FireFox's list:
+ * https://hg.mozilla.org/mozilla-central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */
+static void ssl_nss_init_ciphers(void) {
+ /* Disable any ciphers that NSS might have enabled by default */
const PRUint16 *cipher;
for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
+ SSL_CipherPrefSetDefault(*cipher, PR_FALSE);
+ }
+
+ /* Now only set SSL/TLS ciphers we knew about at compile time */
+ for (cipher = default_ciphers; *cipher != 0; ++cipher) {
+ SSL_CipherPrefSetDefault(*cipher, PR_TRUE);
+ }
+
+ /* Now log the available and enabled Ciphers */
+ for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
const PRUint16 suite = *cipher;
SECStatus rv;
PRBool enabled;
@@ -185,18 +237,7 @@ ssl_nss_init_nss(void)
NSS_SetDomesticPolicy();
#endif /* NSS < 3.15.2 */
- SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1);
- SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
- SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+ ssl_nss_init_ciphers();
#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
/* Get the ranges of supported and enabled SSL versions */
@@ -229,7 +270,6 @@ ssl_nss_init_nss(void)
_identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();
- ssl_nss_log_ciphers();
}
static SECStatus
View Lorry Controller Status