adium-1.4 2609:63a2af2e3e41: Remove elliptic curve ciphers from ...

commits at adium.im commits at adium.im
Tue Oct 6 02:51:32 UTC 2009 

details:	http://hg.adium.im/adium-1.4/rev/63a2af2e3e41
revision:	2609:63a2af2e3e41
author:		Andrew Wellington <proton at adium.im>
date:		Tue Oct 06 12:49:53 2009 +1100

Remove elliptic curve ciphers from the cipher list as it causes a number of XMPP servers to break. This is the same cipher set that Mac OS X 10.5 used, and the same as 10.6 without the EC ciphers.

Reviewed by sholt.  Fixes #12913

diffs (53 lines):

diff -r b688c1962004 -r 63a2af2e3e41 Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c
--- a/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Fri Sep 11 14:32:40 2009 -0400
+++ b/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Tue Oct 06 12:49:53 2009 +1100
@@ -330,6 +330,49 @@
 		return;
     }
     
+    /*
+     * Disable ciphers that confuse some servers
+     */
+    SSLCipherSuite ciphers[27] = {
+        TLS_RSA_WITH_AES_128_CBC_SHA,
+        SSL_RSA_WITH_RC4_128_SHA,
+        SSL_RSA_WITH_RC4_128_MD5,
+        TLS_RSA_WITH_AES_256_CBC_SHA,
+        SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+        SSL_RSA_WITH_3DES_EDE_CBC_MD5,
+        SSL_RSA_WITH_DES_CBC_SHA,
+        SSL_RSA_EXPORT_WITH_RC4_40_MD5,
+        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
+        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+        TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+        TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+        TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+        SSL_DHE_DSS_WITH_DES_CBC_SHA,
+        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+        TLS_DH_anon_WITH_AES_128_CBC_SHA,
+        TLS_DH_anon_WITH_AES_256_CBC_SHA,
+        SSL_DH_anon_WITH_RC4_128_MD5,
+        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
+        SSL_DH_anon_WITH_DES_CBC_SHA,
+        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
+        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+        SSL_RSA_WITH_NULL_MD5,
+    };
+    err = (OSStatus)SSLSetEnabledCiphers(cdsa_data->ssl_ctx, ciphers, sizeof(ciphers) / sizeof(SSLCipherSuite));
+    if (err != noErr) {
+        purple_debug_error("cdsa", "SSLSetEnabledCiphers failed\n");
+        if (gsc->error_cb != NULL)
+            gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
+                       gsc->connect_cb_data);
+
+        purple_ssl_close(gsc);
+        return;
+    }
+    
     if(gsc->host) {
         /*
          * Set the peer's domain name so CDSA can check the certificate's CN

More information about the commits mailing list