diff options
author | Daniel Atallah <datallah@pidgin.im> | 2014-11-05 00:09:52 -0500 |
---|---|---|
committer | Daniel Atallah <datallah@pidgin.im> | 2014-11-05 00:09:52 -0500 |
commit | 3dfef3c946e47c9cf7a30d5f600a1b2fb0b5dd35 (patch) | |
tree | 60d2335c0cbbfb94fad65d9319c08f8d234e9b2d | |
parent | 81b8a037092881cdf83c07276177280fd38fb84e (diff) | |
download | pidgin-3dfef3c946e47c9cf7a30d5f600a1b2fb0b5dd35.tar.gz |
Update NSS Default Cipher suites
* Use Firefox as a base reference, include some previously used stuff and enable various PFS certificates
* The following certificates were previously enabled (when using NSS 3.17.1)
and are no longer enabled:
* Various using RC2 and MD5
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_DSS_WITH_RC4_128_SHA
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_RC4_128_SHA (this is probably the most controversial removal)
* TLS_RSA_WITH_RC4_128_MD5
* TLS_DHE_RSA_WITH_DES_CBC_SHA
* TLS_DHE_DSS_WITH_DES_CBC_SHA
Refs #8062, Fixes #16262
-rw-r--r-- | libpurple/plugins/ssl/ssl-nss.c | 68 |
1 files changed, 54 insertions, 14 deletions
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c index 85335e8a04..ef00ba266f 100644 --- a/libpurple/plugins/ssl/ssl-nss.c +++ b/libpurple/plugins/ssl/ssl-nss.c @@ -139,9 +139,61 @@ static gchar *get_error_text(void) return ret; } -static void ssl_nss_log_ciphers(void) { +static const PRUint16 default_ciphers[] = { +#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \ + || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 1 ) + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, +# if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \ + || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 2 ) + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +# endif +#endif + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* deprecated (DSS) */ + /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, false }, // deprecated (DSS) */ + + TLS_ECDHE_RSA_WITH_RC4_128_SHA, /* deprecated (RC4) */ + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, /* deprecated (RC4) */ + + /* RFC 6120 Mandatory */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* deprecated (RSA key exchange) */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* deprecated (RSA key exchange) */ + /* TLS_RSA_WITH_3DES_EDE_CBC_SHA, deprecated (RSA key exchange, 3DES) */ + + 0 /* end marker */ +}; + +/* It's unfortunate we need to manage these manually, + * ideally NSS would choose good defaults. + * This is mostly based on FireFox's list: + * https://hg.mozilla.org/mozilla-central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */ +static void ssl_nss_init_ciphers(void) { + /* Disable any ciphers that NSS might have enabled by default */ const PRUint16 *cipher; for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) { + SSL_CipherPrefSetDefault(*cipher, PR_FALSE); + } + + /* Now only set SSL/TLS ciphers we knew about at compile time */ + for (cipher = default_ciphers; *cipher != 0; ++cipher) { + SSL_CipherPrefSetDefault(*cipher, PR_TRUE); + } + + /* Now log the available and enabled Ciphers */ + for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) { const PRUint16 suite = *cipher; SECStatus rv; PRBool enabled; @@ -185,18 +237,7 @@ ssl_nss_init_nss(void) NSS_SetDomesticPolicy(); #endif /* NSS < 3.15.2 */ - SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1); - SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1); - SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1); - SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1); - SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1); - SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1); - SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1); - SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1); - SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1); - SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1); - SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1); - SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1); + ssl_nss_init_ciphers(); #if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 ) /* Get the ranges of supported and enabled SSL versions */ @@ -229,7 +270,6 @@ ssl_nss_init_nss(void) _identity = PR_GetUniqueIdentity("Purple"); _nss_methods = PR_GetDefaultIOMethods(); - ssl_nss_log_ciphers(); } static SECStatus |