adium 2735:a84d7da4ebde: Remove elliptic curve ciphers from the ...

[commits at adium.im]

details:	http://hg.adium.im/adium/rev/a84d7da4ebde
revision:	2735:a84d7da4ebde
author:		Andrew Wellington <proton at adium.im>
date:		Tue Oct 06 12:49:53 2009 +1100

Remove elliptic curve ciphers from the cipher list as it causes a number of XMPP servers to break. This is the same cipher set that Mac OS X 10.5 used, and the same as 10.6 without the EC ciphers.

Reviewed by sholt.  Fixes #12913

diffs (53 lines):

diff -r 6c883e681d52 -r a84d7da4ebde Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c
--- a/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Fri Oct 16 11:14:37 2009 -0400
+++ b/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c	Tue Oct 06 12:49:53 2009 +1100
@@ -330,6 +330,49 @@
 		return;
     }
     
+    /*
+     * Disable ciphers that confuse some servers
+     */
+    SSLCipherSuite ciphers[27] = {
+        TLS_RSA_WITH_AES_128_CBC_SHA,
+        SSL_RSA_WITH_RC4_128_SHA,
+        SSL_RSA_WITH_RC4_128_MD5,
+        TLS_RSA_WITH_AES_256_CBC_SHA,
+        SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+        SSL_RSA_WITH_3DES_EDE_CBC_MD5,
+        SSL_RSA_WITH_DES_CBC_SHA,
+        SSL_RSA_EXPORT_WITH_RC4_40_MD5,
+        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
+        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+        TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+        TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+        TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+        SSL_DHE_DSS_WITH_DES_CBC_SHA,
+        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+        TLS_DH_anon_WITH_AES_128_CBC_SHA,
+        TLS_DH_anon_WITH_AES_256_CBC_SHA,
+        SSL_DH_anon_WITH_RC4_128_MD5,
+        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
+        SSL_DH_anon_WITH_DES_CBC_SHA,
+        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
+        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+        SSL_RSA_WITH_NULL_MD5,
+    };
+    err = (OSStatus)SSLSetEnabledCiphers(cdsa_data->ssl_ctx, ciphers, sizeof(ciphers) / sizeof(SSLCipherSuite));
+    if (err != noErr) {
+        purple_debug_error("cdsa", "SSLSetEnabledCiphers failed\n");
+        if (gsc->error_cb != NULL)
+            gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
+                       gsc->connect_cb_data);
+
+        purple_ssl_close(gsc);
+        return;
+    }
+    
     if(gsc->host) {
         /*
          * Set the peer's domain name so CDSA can check the certificate's CN