void initNSS(const SslOptions& options, bool server) { SslOptions::global = options; if (options.certPasswordFile.empty()) { PK11_SetPasswordFunc(promptForPassword); } else { PK11_SetPasswordFunc(readPasswordFromFile); } NSS_CHECK(NSS_Init(options.certDbPath.c_str())); if (options.exportPolicy) { NSS_CHECK(NSS_SetExportPolicy()); } else { NSS_CHECK(NSS_SetDomesticPolicy()); } if (server) { //use defaults for all args, TODO: may want to make this configurable SSL_ConfigServerSessionIDCache(0, 0, 0, 0); } // disable SSLv2 and SSLv3 versions of the protocol - they are // no longer considered secure SSLVersionRange drange, srange; // default and supported ranges const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0 NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange)); NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange)); if (drange.min < tlsv1) { drange.min = tlsv1; NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } if (srange.max > drange.max) { drange.max = srange.max; NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } }
static void ssl_nss_init_nss(void) { #if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 ) SSLVersionRange supported, enabled; #endif /* NSS >= 3.14 */ PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); NSS_NoDB_Init("."); NSS_SetDomesticPolicy(); SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1); SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 1); SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_256_CBC_SHA, 1); SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_RC4_128_SHA, 1); SSL_CipherPrefSetDefault(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1); SSL_CipherPrefSetDefault(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1); SSL_CipherPrefSetDefault(SSL_RSA_WITH_RC4_128_SHA, 1); SSL_CipherPrefSetDefault(TLS_RSA_WITH_AES_128_CBC_SHA, 1); SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 1); SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 1); SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1); SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1); #if NSS_VMAJOR > 3 || ( NSS_VMAJOR == 3 && NSS_VMINOR >= 14 ) /* Get the ranges of supported and enabled SSL versions */ if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) && (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) { purple_debug_info("nss", "TLS supported versions: " "0x%04hx through 0x%04hx\n", supported.min, supported.max); purple_debug_info("nss", "TLS versions allowed by default: " "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); /* Make sure SSL 3.0 is disabled (it's old and everyone should be using at least TLS 1.0 by now), and make sure all versions of TLS supported by the local library are enabled (for some reason NSS doesn't enable newer versions of TLS by default -- more context in ticket #15909). */ if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) { enabled.max = supported.max; if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) { purple_debug_info("nss", "Changed allowed TLS versions to " "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); } else { purple_debug_error("nss", "Error setting allowed TLS versions to " "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); } } } #endif /* NSS >= 3.14 */ /** Disable OCSP Checking until we can make that use our HTTP & Proxy stuff */ CERT_EnableOCSPChecking(PR_FALSE); _identity = PR_GetUniqueIdentity("Purple"); _nss_methods = PR_GetDefaultIOMethods(); }