Let's drop support for NSS!

Mark Doliner mark at kingant.net
Sun Sep 14 13:36:02 EDT 2014


Another strike against NSS:
- TLS 1.1 and 1.2 aren't enabled by default. It's easy for us to enable
them (and I recently committed code to release-2.x.y and master that does
this), but we shouldn't HAVE to. The sane default is for for TLS 1.1 and
1.2 to be enabled.

While I have some sympathy for people who care about FIPS 140-2, I feel
like it should only factor into this decision a very small amount. For one
thing I don't recall seeing anyone talk about Pidgin and FIPS
certification. It's hard to determine how important this is without hearing
from people who care about it. So I'm inclined not to give it much weight,
since it seems silly to give a lot of weight to something that might not
matter at all.

Also I think we should be very selfish with our time. Aside from Tomasz and
the 2013 summer of code students, development on Pidgin has been very slow.
We clearly don't have a lot of development hours. I'd prefer if we didn't
spend those hours maintaining superfluous functionality. If there are
people who care a lot about FIPS certification then they should either
contribute development time to maintain our nss ssl plugin or they should
pay for GnuTLS to become FIPS certified.

Looks like FIPS certification is mostly required by some parts of the US
government? Or is it more widespread than that?

I see something that implies that FIPS requires disabling SSL 3 and
disabling non-FIPS compliant ciphers [1], which makes me think that all
released versions of Pidgin aren't FIPS compliant because SSL 3 was always
enabled.

[1]
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation#How_does_this_affect_Firefox_users.3F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/pipermail/devel/attachments/20140914/9e4d97b4/attachment.html>


More information about the Devel mailing list