changeset 24181:0006181485ea

Enable a number of default-disabled strong ciphers for NSS. For some reason the NSS default US Domestic policy does not enable a number of strong ciphers which are entirely reasonable, and in fact may be preferred. (E.g. those using SHA over MD5.) This patch enables all available AES, 3DES, and RC4 ciphers which are not enabled by default. Thanks to Marcus Trautwig for this. Fixes #1435
author Ethan Blanton <elb@pidgin.im>
date Tue, 23 Sep 2008 17:36:13 +0000 (2008-09-23)
parents 14915e96311e
children a29ae9a5c311 6c8f5ebbb6b7
files COPYRIGHT ChangeLog libpurple/plugins/ssl/ssl-nss.c
diffstat 3 files changed, 16 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/COPYRIGHT	Tue Sep 23 08:33:34 2008 +0000
+++ b/COPYRIGHT	Tue Sep 23 17:36:13 2008 +0000
@@ -425,6 +425,7 @@
 Gal Topper
 Chris Toshok
 Ken Tossell
+Marcus Trautwig
 Tom Tromey
 Todd Troxell
 Brad Turcotte
--- a/ChangeLog	Tue Sep 23 08:33:34 2008 +0000
+++ b/ChangeLog	Tue Sep 23 17:36:13 2008 +0000
@@ -5,6 +5,8 @@
 	* Restored the "Has You" feature to the MSN protocol tooltips.
 	* Fixed a crash on removing a custom buddy icon on a buddy.
 	* Fixed a crash caused by certain self-signed SSL certificates.
+	* Enable a number of strong ciphers which were previously disabled
+	  when using NSS.  (Thanks to Marcus Trautwig.)
 
 	Pidgin:
 	* The status selector now saves your message when changing status.
--- a/libpurple/plugins/ssl/ssl-nss.c	Tue Sep 23 08:33:34 2008 +0000
+++ b/libpurple/plugins/ssl/ssl-nss.c	Tue Sep 23 17:36:13 2008 +0000
@@ -141,6 +141,19 @@
 	g_free(lib);
 	NSS_SetDomesticPolicy();
 
+	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
+
 	_identity = PR_GetUniqueIdentity("Purple");
 	_nss_methods = PR_GetDefaultIOMethods();
 }