clone 1078468 -1
reassign -1 libpurple0
forwarded -1 
https://issues.imfreedom.org/issue/PIDGIN-17886/Certificate-verification-errors-with-NSS-3.103
thanks

See the discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1913047

On Sun, Aug 11, 2024 at 12:53:20PM +1000, James Tocknell wrote:
> Package: libnss3
> Version: 2:3.103-1
> Severity: important
> 
> Dear Maintainer,
> 
> Something is wrong with how libnss3 is verifying chains.
> 
> I first noticed this with pidgin with irc.oftc.net, but I can reproduce this
> without needing pidgin (hence I don't think this is a pidgin bug).
> Interestingly, Firefox (and I presume Thunderbird, but haven't checked this)
> is unaffected.
> 
> To see this issue, run (I'm using Google here as I'd expect them to have the
> chains correctly set up, and for any breakage to be noticed really quickly, 
> but
> other systems give the same error):
> 
> $ vfyserv -c google.com -p 443
> 
> which gives
> 
> Connecting to host google.com (addr 142.250.76.110) on port 443
> Cert file cert.000 was created.
> PROBLEM WITH THE CERT CHAIN:
> CERT 0. CN=*.google.com :
>   ERROR -8179: Peer's Certificate issuer is not recognized.
>     CN=WR2,O=Google Trust Services,C=US
> Error in function PR_Write: -8179
>  - Peer's Certificate issuer is not recognized.
> 
> OpenSSL seems to have no issues either, with
> 
> $ openssl s_client -showcerts -connect google.com:443
> Connecting to 142.250.204.14
> CONNECTED(00000003)
> depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
> verify return:1
> depth=1 C=US, O=Google Trust Services, CN=WR2
> verify return:1
> depth=0 CN=*.google.com
> verify return:1
> 
> being the start of the response from OpenSSL.
> 
> I think this is a recent regression, but I haven't tested older versions of
> libnss3.
> 
> I've also set this as important, given at least some clients are having no
> issues, but feel free to change the severity as needed.
> 
> Regards
> James
> 
> 
> -- System Information:
> Debian Release: trixie/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
> 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 6.10.3-amd64 (SMP w/12 CPU threads; PREEMPT)
> Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to en_AU.UTF-8), LANGUAGE=en_AU:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages libnss3 depends on:
> ii  libc6         2.39-6
> ii  libnspr4      2:4.35-1.1+b1
> ii  libsqlite3-0  3.46.0-1
> 
> libnss3 recommends no packages.
> 
> libnss3 suggests no packages.
> 
> -- no debconf information
> 

Reply via email to