Bug 1232349 - the nss-3.19.0 update breaks pidgin's SSL negotiation on XMPP
Summary: the nss-3.19.0 update breaks pidgin's SSL negotiation on XMPP
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: pidgin
Version: 20
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-16 14:26 UTC by Ion Badulescu
Modified: 2015-06-30 01:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-30 01:39:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ion Badulescu 2015-06-16 14:26:11 UTC
Description of problem:
After upgrading nss to the latest available in yum (3.19.1), pidgin can no longer connect to XMPP servers over encrypted connections. Any attempt to enable such a connection fails immediately with the message "SSL Handshake failed". This particular server uses a certificate issued by an internal CA, and the internal CA certificate has been added to NSS as a trusted source anchor in /etc/pki/ca-trust/source/anchors.

I have strace logs of the failing handshake, but they're not particularly useful since it's all encrypted data.

empathy has no problem with the same server, although it also pulls in the nss libraries (as per strace).

Downgrading nss back to the previous version (3.18.0) fixes the problem.

Anecdotally, pidgin has no such trouble on fedora 22 using nss 3.19.1. The big difference between fedora 20 and fedora 22 is pidgin's own version: 3.10.10 on f20, 3.10.11 on f21. Pidgin's changelog between those versions mentions 3 nss related issues being fixed, so that's probably what makes it work with the new nss.

I know f20 is about to fall out of support, but breaking things just before the EOS deadline isn't cool... so it would be quite nice to get it fixed.

Version-Release number of selected component (if applicable):
pidgin 3.10.10
nss 3.19.1

How reproducible:
100%

Steps to Reproduce:
1. update nss to 3.19.1
2. restart pidgin
3. connect to SSL-enabled XMPP server

Actual results:
"SSL Handshake failed"

Expected results:
Endless online chatting.

Additional info:

Comment 2 Fedora Update System 2015-06-17 07:36:36 UTC
pidgin-2.10.11-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pidgin-2.10.11-1.fc20

Comment 3 Jan Synacek 2015-06-17 07:37:24 UTC
Please, let me know if the new version solves your issue.

Comment 4 Daniel Fackrell 2015-06-17 21:57:12 UTC
I found this bug report yesterday because I was having this exact issue after updating nss. I installed the packages for the patch and restarted Pidgin, and was able to connect to SSL-encrypted Jabber servers again.

Thank you for your quick work on this!

Comment 5 Ion Badulescu 2015-06-19 13:34:57 UTC
(In reply to Jan Synacek from comment #3)
> Please, let me know if the new version solves your issue.

Confirmed, pidgin 3.10.11 solves the XMPP SSL negotiation issue when using nss 3.19.

Thanks!

Comment 6 Fedora Update System 2015-06-21 00:30:00 UTC
Package pidgin-2.10.11-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pidgin-2.10.11-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10177/pidgin-2.10.11-1.fc20
then log in and leave karma (feedback).

Comment 7 Fedora End Of Life 2015-06-30 01:39:00 UTC
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.