diff --git a/pidgin-2.5.8-nss-md2.patch b/pidgin-2.5.8-nss-md2.patch new file mode 100644 index 0000000..d995dcd --- /dev/null +++ b/pidgin-2.5.8-nss-md2.patch @@ -0,0 +1,27 @@ +Original Author: qulogic@pidgin.im +Date: 2009-07-11T06:46:21 +Branch: im.pidgin.pidgin + +Modified files: + libpurple/plugins/ssl/ssl-nss.c + +ChangeLog: + +Enable the weaker MD2 and MD4 with RSA encryption signing algorithms that +are now disabled in NSS 3.12.3. This allows signing in without errors on at +least MSN, and some XMPP servers. + +============================================================ +--- libpurple/plugins/ssl/ssl-nss.c 54d9228e9319318b825b3aa486075d372e8cc8aa ++++ libpurple/plugins/ssl/ssl-nss.c 5d35e88f8d79d3e07316c324c55c30cec67a1aad +@@ -152,6 +152,10 @@ ssl_nss_init_nss(void) + SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1); + SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1); + ++ /* Enable some weaker algorithms for XMPP and MSN */ ++ NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NSS_USE_ALG_IN_CERT_SIGNATURE, 0); ++ NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION, NSS_USE_ALG_IN_CERT_SIGNATURE, 0); ++ + _identity = PR_GetUniqueIdentity("Purple"); + _nss_methods = PR_GetDefaultIOMethods(); + } diff --git a/pidgin.spec b/pidgin.spec index b6de4ea..e76d56c 100644 --- a/pidgin.spec +++ b/pidgin.spec @@ -29,6 +29,7 @@ %define perl_embed_separated 0 %define api_docs 0 %define krb4_removed 0 +%define nss_md2_disabled 0 # RHEL4: Use ALSA aplay to output sounds because it lacks gstreamer %if 0%{?fedora} < 5 @@ -60,6 +61,10 @@ %define perl_embed_separated 1 %define api_docs 1 %endif +# F11+: New NSS (3.12.3) disables weaker MD2 algorithm +%if 0%{?fedora} >= 10 +%define nss_md2_disabled 1 +%endif # F12+: krb4 removed %if 0%{?fedora} >= 12 %define krb4_removed 1 @@ -68,7 +73,7 @@ Name: pidgin Version: 2.5.8 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and GPLv2 and MIT # GPLv2+ - libpurple, gnt, finch, pidgin, most prpls # GPLv2 - silc & novell prpls @@ -103,6 +108,7 @@ Patch0: pidgin-NOT-UPSTREAM-2.5.3-reread-resolvconf.patch Patch1: pidgin-NOT-UPSTREAM-2.5.2-rhel4-sound-migration.patch ## Patches 100+: To be Included in Future Upstream +Patch100: pidgin-2.5.8-nss-md2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root Summary: A Gtk+ based multiprotocol instant messaging client @@ -125,7 +131,11 @@ BuildRequires: autoconf BuildRequires: libtool BuildRequires: startup-notification-devel BuildRequires: cyrus-sasl-devel -BuildRequires: nss-devel +%if %{nss_md2_disabled} +BuildRequires: nss-devel >= 3.12.3 +%else +BuildRequires: nss-devel +%endif BuildRequires: gtk2-devel BuildRequires: gettext BuildRequires: intltool @@ -140,7 +150,7 @@ BuildRequires: libxml2-devel BuildRequires: krb5-devel %endif # gtkspell integration (FC1+) -BuildRequires: gtkspell-devel, aspell-devel +BuildRequires: gtkspell-devel # Evolution integration (FC3+) BuildRequires: evolution-data-server-devel # SILC integration (FC3+) @@ -349,6 +359,9 @@ echo "FEDORA=%{fedora} RHEL=%{rhel}" %endif ## Patches 100+: To be Included in Future Upstream +%if %{nss_md2_disabled} +%patch100 -p0 -b .nssmd2 +%endif # Our preferences cp %{SOURCE1} prefs.xml @@ -585,6 +598,11 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog +* Sat Jul 11 2009 Stu Tomlison 2.5.8-2 +- Backport patch from upstream to enable NSS to recognize root CA + certificates that use MD2 & MD4 algorithms in their signature, as + used by some MSN and XMPP servers + * Sun Jun 28 2009 Warren Togami 2.5.8-1 - 2.5.8 with several important bug fixes