Package: pidgin Version: 2.13.0-2+b1 Followup-For: Bug #973566 For me, the same error "SSL Handshake Failed" started happening with pidgin 2.13.0-2+b1 on Debian Buster about a week ago.
Interestingly, one TLS XMPP account work just fine, but other TLS XMPP account (on jabber.fsfe.org) started failing. So it is not that whole of XMPP if broken in Pidgin. Interestingly enough, I can still use other TLS XMPP Clients (like Android client "Conversations v2.9.6+FCR" from f-droid.org) to connect to that jabber.fsfe.org server just fine, so it is not and issue that FSFE XMPP server is broken for all clients, either. "pidgin -d" when pressing reconnect it fails and prints: (17:16:46) jabber: Sending (redac...@jabber.fsfe.org/redacted): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> (17:16:46) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> (17:16:46) nss: Handshake failed (-12286) (17:16:46) connection: Connection error on 0x557f6ad65f00 (reason: 5 description: SSL Handshake Failed) Seraching the web for "nss: Handshake failed (-12286)" finds https://github.com/fchat-pidgin/fchat-pidgin/issues/156#issuecomment-305260240 whish says it means "SSL_ERROR_NO_CYPHER_OVERLAP" which is somewhat more informative. I've also managed to use "wireshark" to see Pidgin tries to use TLS 1.2 (why not 1.3? It seems supported in Buster otherwise?), and that seems to fail when trying to connect to jabber.fsfe.org XMPP server (I've contacted FSFE). Manually verifying in shell seems to confirm this case to be combination of jabber.fsfe.org configuration issue of only supporting TLS 1.3, and Buster Pidgin issue of not supporting TLS 1.3: % openssl s_client -connect jabber.fsfe.org:5222 -starttls xmpp -servername jabber.fsfe.org -tls1_3 works, but % openssl s_client -connect jabber.fsfe.org:5222 -starttls xmpp -servername jabber.fsfe.org -tls1_2 fails with: CONNECTED(00000003) 140641803256960:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40 So, probably not a bug in Pidgin (although I do hope Pidgin will support TLS1.3 in Bullseye? right?) I'm writing this anyway so other poor soul that gets such error can try to narrow down what is the problem. -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-0.bpo.2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=hr_HR.UTF-8, LC_CTYPE=hr_HR.UTF-8 (charmap=UTF-8), LANGUAGE=hr_HR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages pidgin depends on: ii libatk1.0-0 2.30.0-2 ii libc6 2.28-10 ii libcairo2 1.16.0-4+deb10u1 ii libdbus-1-3 1.12.20-0+deb10u1 ii libdbus-glib-1-2 0.110-4 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3+deb10u2 ii libgadu3 1:1.12.2-3 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.58.3-2+deb10u2 ii libgstreamer1.0-0 1.14.4-1 ii libgtk2.0-0 2.24.32-3 ii libgtkspell0 2.0.16-1.2 ii libice6 2:1.0.9-2 ii libpango-1.0-0 1.42.4-8~deb10u1 ii libpangocairo-1.0-0 1.42.4-8~deb10u1 ii libpangoft2-1.0-0 1.42.4-8~deb10u1 ii libpurple0 2.13.0-2+b1 ii libsm6 2:1.2.3-1 ii libx11-6 2:1.6.7-1+deb10u1 ii libxss1 1:1.2.3-1 ii perl-base [perlapi-5.28.0] 5.28.1-6+deb10u1 ii pidgin-data 2.13.0-2 Versions of packages pidgin recommends: ii gstreamer1.0-libav 1.15.0.1+git20180723+db823502-2 ii gstreamer1.0-plugins-base 1.14.4-2 ii gstreamer1.0-plugins-good 1.14.4-1 ii gstreamer1.0-pulseaudio 1.14.4-1 Versions of packages pidgin suggests: ii libsqlite3-0 3.27.2-3+deb10u1 -- no debconf information