diff options
-rw-r--r-- | libpurple/plugins/ssl/ssl-nss.c | 66 |
1 files changed, 1 insertions, 65 deletions
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c index 9501dbe410..cff738161a 100644 --- a/libpurple/plugins/ssl/ssl-nss.c +++ b/libpurple/plugins/ssl/ssl-nss.c @@ -139,60 +139,10 @@ static gchar *get_error_text(void) return ret; } -static const PRUint16 default_ciphers[] = { -#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \ - || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 1 ) - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -# if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR > 15 ) \ - || ( NSS_VMAJOR == 3 && NSS_VMINOR == 15 && NSS_VPATCH >= 2 ) - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -# endif -#endif - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* deprecated (DSS) */ - /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, false }, // deprecated (DSS) */ - - TLS_ECDHE_RSA_WITH_RC4_128_SHA, /* deprecated (RC4) */ - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, /* deprecated (RC4) */ - - /* RFC 6120 Mandatory */ - TLS_RSA_WITH_AES_128_CBC_SHA, /* deprecated (RSA key exchange) */ - TLS_RSA_WITH_AES_256_CBC_SHA, /* deprecated (RSA key exchange) */ - /* TLS_RSA_WITH_3DES_EDE_CBC_SHA, deprecated (RSA key exchange, 3DES) */ - - 0 /* end marker */ -}; - -/* It's unfortunate we need to manage these manually, - * ideally NSS would choose good defaults. - * This is mostly based on FireFox's list: - * https://hg.mozilla.org/mozilla-central/log/default/security/manager/ssl/src/nsNSSComponent.cpp */ static void ssl_nss_init_ciphers(void) { - /* Disable any ciphers that NSS might have enabled by default */ const PRUint16 *cipher; - for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) { - SSL_CipherPrefSetDefault(*cipher, PR_FALSE); - } - - /* Now only set SSL/TLS ciphers we knew about at compile time */ - for (cipher = default_ciphers; *cipher != 0; ++cipher) { - SSL_CipherPrefSetDefault(*cipher, PR_TRUE); - } - /* Now log the available and enabled Ciphers */ + /* Log the available and enabled Ciphers */ for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) { const PRUint16 suite = *cipher; SECStatus rv; @@ -246,20 +196,6 @@ ssl_nss_init_nss(void) "0x%04hx through 0x%04hx\n", supported.min, supported.max); purple_debug_info("nss", "TLS versions allowed by default: " "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); - - /* Make sure all versions of TLS supported by the local library are - enabled. (For some reason NSS doesn't enable newer versions of TLS - by default -- more context in ticket #15909.) */ - if (supported.max > enabled.max) { - enabled.max = supported.max; - if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) { - purple_debug_info("nss", "Changed allowed TLS versions to " - "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); - } else { - purple_debug_error("nss", "Error setting allowed TLS versions to " - "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); - } - } } #endif /* NSS >= 3.14 */ |