Bug#790610: libnss3: "SSL handshake failed" in Pidgin: nss: Handshake failed (-12173)

Ruud van Melick ruud at vanmelick.com
Tue Jun 30 10:23:37 UTC 2015 

Package: libnss3
Version: 2:3.19.1-2
Severity: important

Dear Maintainer,

   * What led up to the situation?

I'm using the IM-client Pidgin to connect to jabber.xs4all.nl (XMPP).
This worked without problems for years. Starting about a month ago I could
no longer connect and got an error message "SSL Handshake Failed".

The debug window in Pidgin (2.10.11-1) shows:

(12:11:26) proxy: Connected to jabber.xs4all.nl:5222.
(12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <?xml version='1.0' ?>
(12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <stream:stream to='jabber.xs4all.nl' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(12:11:26) jabber: Recv (189): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="jabber.xs4all.nl" id="****" xml:lang="en" version="1.0">
(12:11:26) jabber: Recv (297): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms></stream:features>
(12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(12:11:26) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(12:11:26) nss: Handshake failed  (-12173)

That happens when I have libnss3(-1d) 2:3.19.1-2 or 2:3.19.2-1 installed

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I downgraded libnss3(-1d) to version 2:3.19-1

   * What was the outcome of this action?

With libnss 2:3.19-1 works normal, giving the following debug info in Pidgin:

[...]
(12:18:22) jabber: Sending (***@jabber.xs4all.nl/Home): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(12:18:22) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(12:18:22) nss: SSL version 3.1 using 128-bit AES with 160-bit SHA1 MAC
Server Auth: 2048-bit RSA, Key Exchange: 768-bit DHE, Compression: NULL
Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(12:18:22) nss: subject=CN=*.xs4all.nl,OU=Domain Control Validated - Power
Server ID,OU=See www.geotrust.com/resources/cps
(c)10,OU=GT59386789,O=*.xs4all.nl,C=NL,serialNumber=jiHNH1-2gSw60JIZI6vLZwxPRwgRSK8x
issuer=OU=Equifax Secure Certificate Authority,O=Equifax,C=US
(12:18:22) nss: subject=OU=Equifax Secure Certificate
Authority,O=Equifax,C=US issuer=OU=Equifax Secure Certificate
Authority,O=Equifax,C=US

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnss3 depends on:
ii  libc6         2.19-18
ii  libnspr4      2:4.10.8-2
ii  libnspr4-0d   2:4.10.8-2
ii  libsqlite3-0  3.8.10.2-1
ii  zlib1g        1:1.2.8.dfsg-2+b1

libnss3 recommends no packages.

libnss3 suggests no packages.

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list