Merged in dequisdequis/pidgin/release-2.x.y (pull request #218)

ssl-nss: Use default NSS ciphersuites/TLS versions, fixes TLS 1.3 issues

Approved-by: Eion Robb <eionrobb@gmail.com>
Approved-by: Gary Kramlich <grim@reaperworld.com>
Approved-by: Ethan Blanton <elb@kb8ojh.net>

1 files changed, 1 insertions, 65 deletions

diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
index 9501dbe410..cff738161a 100644
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -139,60 +139,10 @@ static gchar *get_error_text(void)
 	return ret;
 }
 
-static const PRUint16 default_ciphers[] = {
-#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \
-		|| ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 1 )
-	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-# if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \
-		|| ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 2 )
-	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-# endif
-#endif
-	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-
-	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-
-	TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* deprecated (DSS) */
-	/* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, false }, // deprecated (DSS) */
-
-	TLS_ECDHE_RSA_WITH_RC4_128_SHA,		/* deprecated (RC4) */
-	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 	/* deprecated (RC4) */
-
-	/* RFC 6120 Mandatory */
-	TLS_RSA_WITH_AES_128_CBC_SHA,		/* deprecated (RSA key exchange) */
-	TLS_RSA_WITH_AES_256_CBC_SHA,		/* deprecated (RSA key exchange) */
-	/* TLS_RSA_WITH_3DES_EDE_CBC_SHA, 	 deprecated (RSA key exchange, 3DES) */
-
-	0 /* end marker */
-};
-
-/* It's unfortunate we need to manage these manually,
- * ideally NSS would choose good defaults.
- * This is mostly based on FireFox's list:
- * https://hg.mozilla.org/mozilla-central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */
 static void ssl_nss_init_ciphers(void) {
-	/* Disable any ciphers that NSS might have enabled by default */
 	const PRUint16 *cipher;
-	for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
-		SSL_CipherPrefSetDefault(*cipher, PR_FALSE);
-	}
-
-	/* Now only set SSL/TLS ciphers we knew about at compile time */
-	for (cipher = default_ciphers; *cipher != 0; ++cipher) {
-		SSL_CipherPrefSetDefault(*cipher, PR_TRUE);
-	}
 
-	/* Now log the available and enabled Ciphers */
+	/* Log the available and enabled Ciphers */
 	for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) {
 		const PRUint16 suite = *cipher;
 		SECStatus rv;
@@ -246,20 +196,6 @@ ssl_nss_init_nss(void)
 				"0x%04hx through 0x%04hx\n", supported.min, supported.max);
 		purple_debug_info("nss", "TLS versions allowed by default: "
 				"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
-
-		/* Make sure all versions of TLS supported by the local library are
-		   enabled. (For some reason NSS doesn't enable newer versions of TLS
-		   by default -- more context in ticket #15909.) */
-		if (supported.max > enabled.max) {
-			enabled.max = supported.max;
-			if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
-				purple_debug_info("nss", "Changed allowed TLS versions to "
-						"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
-			} else {
-				purple_debug_error("nss", "Error setting allowed TLS versions to "
-						"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
-			}
-		}
 	}
 #endif /* NSS >= 3.14 */