Patches
Published on 8 March, 2014
In the past weeks I have created some patches to enhance the SSL/TLS security level of some programs. This was done mostly out of interest but should also bring some security gain. The patches are mainly enabling/disabling some ciphers and/or changing the cipher ordering.
Thunderbird
At the time of writing no thunderbird version (currently thunderbird-24.3.0) supports "AES_GCM" ciphers and the "SHA2" hash algorithm. Although the NSS library which thunderbird uses already has this support implemented.
This patch adds the following ciphersuites in thunderbird:
- ECDHE_RSA_AES_128_GCM_SHA256
- ECDHE_RSA_AES_128_CBC_SHA256
- DHE_RSA_AES_128_GCM_SHA256
- DHE_RSA_AES_128_CBC_SHA256
It also disables all ciphersuites that are using RC4 or DSS by default. These can be reenabled in the thunderbird configuration. Also TLS1.1 and TLS1.2 is enabled, SSL3 is disabled.
Download: thunderbird-24.3.0-crypto.patch
Firefox
Beginning with Version 27, firefox has this changes already included. But I have made the same changes that I have done for thunderbird for firefox 24.3.0.
Download: firefox-24.3.0-crypto.patch
Chromium
Chromium has already enabled these more secure ciphersuites. But the patch below disables all cipersuites containing RC4 and DES/3DES. The cipher-order is also slightly changed to set RSA in front of ECDSA because i prefer RSA.
Chromium allows to connect to servers with weak prime numbers for Diffie-Hellman key exchange. This patch sets the minimal allowed length to 1024 Bit. Otherwise chromium will show an error page.
This patch is made for chromium-33.0 which has a bug which leads to a crash when a short DH key is used by the server. Therefore the following changes should be made when using an affected version: net_error.h
Download: chromium-33.0-crypto.patch
