RE: Pidgin cannot connect to amessage.de using TLS secured XMPP

Tue, 06 May 2008 17:06:08 -0700 

Hi!

I think I just discovered why Pidgin suddenly fails to connect to
amessage.de (and maybe other XMPP servers) with an "SSL Handshake"
error. My Pidgin (2.4.1 from Ubuntu Hardy) uses the libnss SSL library
which only has weak ciphers activated by default:
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1084747

The amessage.de server is not satisfied with the ciphers enabled by
default and aborts the SSL/TLS handshake. You can inspect this with
Wireshark by choosing "Decode As.." from the context menu of one of the
connection packages and then selecting "SSL". On amessage.de, you have
to skip over to the "SSL Client Hello", where Pidgin claims to only
support some weak ciphers.

The attached patch also enables the strong ciphers and now it works
again! But please consider that this may break other SSL connections,
the new "SSL Client Hello" message does not look SSLv2-compatible any
more.

BTW, there is already a bug on this issue, but I did not see it appear
until Pidgin 2.4.1: http://developer.pidgin.im/ticket/1435


Kind Regards,
Marcus

--- libpurple/plugins/ssl/ssl-nss.c.orig	2008-05-07 01:42:07.193334866 +0200
+++ libpurple/plugins/ssl/ssl-nss.c	2008-05-07 01:04:04.721498216 +0200
@@ -139,6 +139,18 @@
 	SECMOD_AddNewModule("Builtins", lib, 0, 0);
 	g_free(lib);
 	NSS_SetDomesticPolicy();
+	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1);
+	SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
+	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
 
 	_identity = PR_GetUniqueIdentity("Purple");
 	_nss_methods = PR_GetDefaultIOMethods();

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

_______________________________________________
Support mailing list
Support@pidgin.im
http://pidgin.im/cgi-bin/mailman/listinfo/support

Reply via email to