Hi! I think I just discovered why Pidgin suddenly fails to connect to amessage.de (and maybe other XMPP servers) with an "SSL Handshake" error. My Pidgin (2.4.1 from Ubuntu Hardy) uses the libnss SSL library which only has weak ciphers activated by default: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1084747
The amessage.de server is not satisfied with the ciphers enabled by default and aborts the SSL/TLS handshake. You can inspect this with Wireshark by choosing "Decode As.." from the context menu of one of the connection packages and then selecting "SSL". On amessage.de, you have to skip over to the "SSL Client Hello", where Pidgin claims to only support some weak ciphers. The attached patch also enables the strong ciphers and now it works again! But please consider that this may break other SSL connections, the new "SSL Client Hello" message does not look SSLv2-compatible any more. BTW, there is already a bug on this issue, but I did not see it appear until Pidgin 2.4.1: http://developer.pidgin.im/ticket/1435 Kind Regards, Marcus
--- libpurple/plugins/ssl/ssl-nss.c.orig 2008-05-07 01:42:07.193334866 +0200 +++ libpurple/plugins/ssl/ssl-nss.c 2008-05-07 01:04:04.721498216 +0200 @@ -139,6 +139,18 @@ SECMOD_AddNewModule("Builtins", lib, 0, 0); g_free(lib); NSS_SetDomesticPolicy(); + SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1); + SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1); + SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1); + SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1); + SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1); + SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1); + SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1); + SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1); + SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1); + SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1); + SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1); + SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1); _identity = PR_GetUniqueIdentity("Purple"); _nss_methods = PR_GetDefaultIOMethods();
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
_______________________________________________ Support mailing list Support@pidgin.im http://pidgin.im/cgi-bin/mailman/listinfo/support