clone 1078468 -1 reassign -1 libpurple0 forwarded -1 https://issues.imfreedom.org/issue/PIDGIN-17886/Certificate-verification-errors-with-NSS-3.103 thanks
See the discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1913047 On Sun, Aug 11, 2024 at 12:53:20PM +1000, James Tocknell wrote: > Package: libnss3 > Version: 2:3.103-1 > Severity: important > > Dear Maintainer, > > Something is wrong with how libnss3 is verifying chains. > > I first noticed this with pidgin with irc.oftc.net, but I can reproduce this > without needing pidgin (hence I don't think this is a pidgin bug). > Interestingly, Firefox (and I presume Thunderbird, but haven't checked this) > is unaffected. > > To see this issue, run (I'm using Google here as I'd expect them to have the > chains correctly set up, and for any breakage to be noticed really quickly, > but > other systems give the same error): > > $ vfyserv -c google.com -p 443 > > which gives > > Connecting to host google.com (addr 142.250.76.110) on port 443 > Cert file cert.000 was created. > PROBLEM WITH THE CERT CHAIN: > CERT 0. CN=*.google.com : > ERROR -8179: Peer's Certificate issuer is not recognized. > CN=WR2,O=Google Trust Services,C=US > Error in function PR_Write: -8179 > - Peer's Certificate issuer is not recognized. > > OpenSSL seems to have no issues either, with > > $ openssl s_client -showcerts -connect google.com:443 > Connecting to 142.250.204.14 > CONNECTED(00000003) > depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1 > verify return:1 > depth=1 C=US, O=Google Trust Services, CN=WR2 > verify return:1 > depth=0 CN=*.google.com > verify return:1 > > being the start of the response from OpenSSL. > > I think this is a recent regression, but I haven't tested older versions of > libnss3. > > I've also set this as important, given at least some clients are having no > issues, but feel free to change the severity as needed. > > Regards > James > > > -- System Information: > Debian Release: trixie/sid > APT prefers unstable-debug > APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, > 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 6.10.3-amd64 (SMP w/12 CPU threads; PREEMPT) > Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_AU.UTF-8), LANGUAGE=en_AU:en > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libnss3 depends on: > ii libc6 2.39-6 > ii libnspr4 2:4.35-1.1+b1 > ii libsqlite3-0 3.46.0-1 > > libnss3 recommends no packages. > > libnss3 suggests no packages. > > -- no debconf information >
