Package: libnss3
Version: 2:3.103-1
Severity: important
Dear Maintainer,
Something is wrong with how libnss3 is verifying chains.
I first noticed this with pidgin with irc.oftc.net, but I can reproduce this
without needing pidgin (hence I don't think this is a pidgin bug).
Interestingly, Firefox (and I presume Thunderbird, but haven't checked this)
is unaffected.
To see this issue, run (I'm using Google here as I'd expect them to have the
chains correctly set up, and for any breakage to be noticed really quickly, but
other systems give the same error):
$ vfyserv -c google.com -p 443
which gives
Connecting to host google.com (addr 142.250.76.110) on port 443
Cert file cert.000 was created.
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=*.google.com :
ERROR -8179: Peer's Certificate issuer is not recognized.
CN=WR2,O=Google Trust Services,C=US
Error in function PR_Write: -8179
- Peer's Certificate issuer is not recognized.
OpenSSL seems to have no issues either, with
$ openssl s_client -showcerts -connect google.com:443
Connecting to 142.250.204.14
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=*.google.com
verify return:1
being the start of the response from OpenSSL.
I think this is a recent regression, but I haven't tested older versions of
libnss3.
I've also set this as important, given at least some clients are having no
issues, but feel free to change the severity as needed.
Regards
James
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.10.3-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_AU.UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libnss3 depends on:
ii libc6 2.39-6
ii libnspr4 2:4.35-1.1+b1
ii libsqlite3-0 3.46.0-1
libnss3 recommends no packages.
libnss3 suggests no packages.
-- no debconf information
