/pidgin/main: bd402b3a86f4: Manual merge release-2.x.y into master.

Fri Sep 12 14:11:42 EDT 2014

Changeset: bd402b3a86f45d3c103602add10b17d95c710bba
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-09-12 11:11 -0700
Branch:	 default
URL: https://hg.pidgin.im/pidgin/main/rev/bd402b3a86f4

Description:

Manual merge release-2.x.y into master.

Only conflict was po/de.po. I think we shouldn't merge translations from
one branch to the other, so I didn't update de.po in master.

diffstat:

 ChangeLog                       |   6 +++++-
 libpurple/plugins/ssl/ssl-nss.c |  25 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletions(-)

diffs (65 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,10 @@ version 3.0.0 (??/??/????):
 	  was an offline message. (Flavius Anton) (#2497)
 
 version 2.10.10 (?/?/?):
+	General:
+	* Allow and prefer TLS 1.2 and 1.1 when using libnss. (Elrond and
+	  Ashish Gupta) (#15909)
+
 	libpurple3 compatibility:
 	* Encrypted account passwords are preserved until the new one is set.
 	* Fix loading Google Talk and Facebook XMPP accounts.
@@ -307,7 +311,7 @@ version 2.10.7 (02/13/2013):
 	  this issue and suggesting solutions. (#15277)
 	* Updates to a number of dependencies, some of which have security
 	  related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
-	  for identifying the vulnerable libraries and to Dieter Verfaillie 
+	  for identifying the vulnerable libraries and to Dieter Verfaillie
 	  for helping getting the libraries updated. (#14571, #15285, #15286)
 		* ATK 1.32.0-2
 		* Cyrus SASL 2.1.25
diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -133,6 +133,8 @@ static gchar *get_error_text(void)
 static void
 ssl_nss_init_nss(void)
 {
+	SSLVersionRange supported, enabled;
+
 	PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 	NSS_NoDB_Init(".");
 	NSS_SetDomesticPolicy();
@@ -150,6 +152,29 @@ ssl_nss_init_nss(void)
 	SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
 	SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
 
+	/* Get the ranges of supported and enabled SSL versions */
+	if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
+			(SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
+		purple_debug_info("nss", "TLS supported versions: "
+				"0x%04hx through 0x%04hx\n", supported.min, supported.max);
+		purple_debug_info("nss", "TLS versions allowed by default: "
+				"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
+
+		/* Make sure all versions of TLS supported by the local library are
+		   enabled. (For some reason NSS doesn't enable newer versions of TLS
+		   by default -- more context in ticket #15909.) */
+		if (supported.max > enabled.max) {
+			enabled.max = supported.max;
+			if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
+				purple_debug_info("nss", "Changed allowed TLS versions to "
+						"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
+			} else {
+				purple_debug_error("nss", "Error setting allowed TLS versions to "
+						"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
+			}
+		}
+	}
+
 	_identity = PR_GetUniqueIdentity("Purple");
 	_nss_methods = PR_GetDefaultIOMethods();
 }

