Package: libnss3 Version: 2:3.58-1 Severity: important Control: affects -1 pidgin
libnss3 since 2:3.58-1 has broken TLS negotiation in Pidgin. There are several reports (see the latest message in #790610 and the #973566 report against pidgin). This is probably severity: serious against Pidgin, although not against libnss3. When attempting to connect to any site using TLS, pidgin produces the following debug errors: (19:22:57) jabber: Recv (177): <?xml version='1.0'?><stream:stream id='11199403237636114117' version='1.0' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='eyrie.org' xmlns='jabber:client'> (19:22:57) jabber: Recv (107): <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features> (19:22:57) jabber: Sending (ea...@eyrie.org/Laptop): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> (19:22:57) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> (19:22:57) nss: Handshake failed (-12251) (19:22:57) connection: Connection error on 0x55e195efa1a0 (reason: 5 description: SSL Handshake Failed) (19:22:57) account: Disconnecting account ea...@eyrie.org/Laptop (0x55e195e7fd00) This happens with Google's servers as well, so it's very unlikely to be a TLS misconfiguration. The above is against my own server, which is running ejabberd from Debian stable. The server side logs the following: 2020-11-10 19:22:57.419 [warning] <0.6129.1>@ejabberd_c2s:process_terminated:285 (tls|<0.6129.1>) Failed to secure c2s connection: TLS failed: SSL_do_handshake failed: error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message The server is using OpenSSL (1.1.1d from Debian stable). I'm not sure if this is a but in libnss3 or in how pidgin is calling it, but downgrading to libnss3 2:3.56-1 fixes the problem. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'unstable-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnss3 depends on: ii libc6 2.31-4 ii libnspr4 2:4.29-1 ii libsqlite3-0 3.33.0-1 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information
