void initNSS(const SslOptions& options, bool server)
{
SslOptions::global = options;
if (options.certPasswordFile.empty()) {
PK11_SetPasswordFunc(promptForPassword);
} else {
PK11_SetPasswordFunc(readPasswordFromFile);
}
NSS_CHECK(NSS_Init(options.certDbPath.c_str()));
if (options.exportPolicy) {
NSS_CHECK(NSS_SetExportPolicy());
} else {
NSS_CHECK(NSS_SetDomesticPolicy());
}
if (server) {
//use defaults for all args, TODO: may want to make this configurable
SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
}
// disable SSLv2 and SSLv3 versions of the protocol - they are
// no longer considered secure
SSLVersionRange drange, srange; // default and supported ranges
const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0
NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange));
NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange));
if (drange.min < tlsv1) {
drange.min = tlsv1;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
if (srange.max > drange.max) {
drange.max = srange.max;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
}
static void
ssl_nss_init_nss(void)
{
#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
SSLVersionRange supported, enabled;
#endif /* NSS >= 3.14 */
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
NSS_NoDB_Init(".");
NSS_SetDomesticPolicy();
SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1);
SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1);
SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1);
SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1);
SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1);
SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1);
SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
#if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 )
/* Get the ranges of supported and enabled SSL versions */
if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
(SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
purple_debug_info("nss", "TLS supported versions: "
"0x%04hx through 0x%04hx\n", supported.min, supported.max);
purple_debug_info("nss", "TLS versions allowed by default: "
"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
/* Make sure SSL 3.0 is disabled (it's old and everyone should be
using at least TLS 1.0 by now), and make sure all versions of TLS
supported by the local library are enabled (for some reason NSS
doesn't enable newer versions of TLS by default -- more context in
ticket #15909). */
if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {
enabled.max = supported.max;
if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
purple_debug_info("nss", "Changed allowed TLS versions to "
"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
} else {
purple_debug_error("nss", "Error setting allowed TLS versions to "
"0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
}
}
}
#endif /* NSS >= 3.14 */
/** Disable OCSP Checking until we can make that use our HTTP & Proxy stuff */
CERT_EnableOCSPChecking(PR_FALSE);
_identity = PR_GetUniqueIdentity("Purple");
_nss_methods = PR_GetDefaultIOMethods();
}
