Your message dated Mon, 23 Nov 2020 20:19:56 +0800
with message-id <[email protected]>
and subject line Re: libnss3: Handshake failed (-12251) with Pidgin since
2:3.58-1
has caused the Debian Bug report #972713,
regarding libnss3: Handshake failed (-12251) with Pidgin since 2:3.58-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
972713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972713
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnss3
Version: 2:3.58-1
Severity: important
Control: affects -1 pidgin
libnss3 since 2:3.58-1 has broken TLS negotiation in Pidgin. There are
several reports (see the latest message in #790610 and the #973566 report
against pidgin). This is probably severity: serious against Pidgin,
although not against libnss3.
When attempting to connect to any site using TLS, pidgin produces the
following debug errors:
(19:22:57) jabber: Recv (177): <?xml version='1.0'?><stream:stream
id='11199403237636114117' version='1.0' xml:lang='en'
xmlns:stream='http://etherx.jabber.org/streams' from='eyrie.org'
xmlns='jabber:client'>
(19:22:57) jabber: Recv (107): <stream:features><starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
(19:22:57) jabber: Sending ([email protected]/Laptop): <starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(19:22:57) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(19:22:57) nss: Handshake failed (-12251)
(19:22:57) connection: Connection error on 0x55e195efa1a0 (reason: 5
description: SSL Handshake Failed)
(19:22:57) account: Disconnecting account [email protected]/Laptop
(0x55e195e7fd00)
This happens with Google's servers as well, so it's very unlikely to be
a TLS misconfiguration. The above is against my own server, which is
running ejabberd from Debian stable. The server side logs the following:
2020-11-10 19:22:57.419 [warning]
<0.6129.1>@ejabberd_c2s:process_terminated:285 (tls|<0.6129.1>) Failed to
secure c2s connection: TLS failed: SSL_do_handshake failed: error:140943F2:SSL
routines:ssl3_read_bytes:sslv3 alert unexpected message
The server is using OpenSSL (1.1.1d from Debian stable).
I'm not sure if this is a but in libnss3 or in how pidgin is calling it,
but downgrading to libnss3 2:3.56-1 fixes the problem.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'unstable-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libnss3 depends on:
ii libc6 2.31-4
ii libnspr4 2:4.29-1
ii libsqlite3-0 3.33.0-1
libnss3 recommends no packages.
libnss3 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2:3.59-1
On Thu, 22 Oct 2020 16:41:54 -0600 Kevin Locke wrote:
> After installing libnss3 2:3.58-1, pidgin is unable to connect to (any?)
> services using TLS.
This is now fixed in unstable and testing:
nss (2:3.59-1) unstable; urgency=medium
* New upstream release. Fixes: #972713.
* debian/libnss3.symbols: Add NSS_3.59/NSSUTIL_3.59 symbol version.
-- Mike Hommey <[email protected]> Wed, 18 Nov 2020 07:26:57 +0900
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
