Bug#790610: libnss3: "SSL handshake failed" in Pidgin: nss: Handshake failed (-12173)
Ruud van Melick
ruud at vanmelick.com
Tue Jun 30 10:23:37 UTC 2015
Package: libnss3
Version: 2:3.19.1-2
Severity: important
Dear Maintainer,
* What led up to the situation?
I'm using the IM-client Pidgin to connect to jabber.xs4all.nl (XMPP).
This worked without problems for years. Starting about a month ago I could
no longer connect and got an error message "SSL Handshake Failed".
The debug window in Pidgin (2.10.11-1) shows:
(12:11:26) proxy: Connected to jabber.xs4all.nl:5222.
(12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <?xml version='1.0' ?>
(12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <stream:stream to='jabber.xs4all.nl' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(12:11:26) jabber: Recv (189): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="jabber.xs4all.nl" id="****" xml:lang="en" version="1.0">
(12:11:26) jabber: Recv (297): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms></stream:features>
(12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(12:11:26) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(12:11:26) nss: Handshake failed (-12173)
That happens when I have libnss3(-1d) 2:3.19.1-2 or 2:3.19.2-1 installed
* What exactly did you do (or not do) that was effective (or
ineffective)?
I downgraded libnss3(-1d) to version 2:3.19-1
* What was the outcome of this action?
With libnss 2:3.19-1 works normal, giving the following debug info in Pidgin:
[...]
(12:18:22) jabber: Sending (***@jabber.xs4all.nl/Home): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(12:18:22) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(12:18:22) nss: SSL version 3.1 using 128-bit AES with 160-bit SHA1 MAC
Server Auth: 2048-bit RSA, Key Exchange: 768-bit DHE, Compression: NULL
Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(12:18:22) nss: subject=CN=*.xs4all.nl,OU=Domain Control Validated - Power
Server ID,OU=See www.geotrust.com/resources/cps
(c)10,OU=GT59386789,O=*.xs4all.nl,C=NL,serialNumber=jiHNH1-2gSw60JIZI6vLZwxPRwgRSK8x
issuer=OU=Equifax Secure Certificate Authority,O=Equifax,C=US
(12:18:22) nss: subject=OU=Equifax Secure Certificate
Authority,O=Equifax,C=US issuer=OU=Equifax Secure Certificate
Authority,O=Equifax,C=US
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libnss3 depends on:
ii libc6 2.19-18
ii libnspr4 2:4.10.8-2
ii libnspr4-0d 2:4.10.8-2
ii libsqlite3-0 3.8.10.2-1
ii zlib1g 1:1.2.8.dfsg-2+b1
libnss3 recommends no packages.
libnss3 suggests no packages.
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list