Let's drop support for NSS!
Elliott Sales de Andrade
qulogic at pidgin.im
Sun Sep 14 15:22:28 EDT 2014
A few years ago, I might have pointed to Fedora's efforts to standardize on
NSS. Nowadays, I'm not so sure whether that's one of their goals or not.
That being said, I wonder why we can't just use the TLS support in GLib? Do
we just not depend on a new enough version? Does it not provide everything
On Sep 14, 2014 1:36 PM, "Mark Doliner" <mark at kingant.net> wrote:
> Another strike against NSS:
> - TLS 1.1 and 1.2 aren't enabled by default. It's easy for us to enable
> them (and I recently committed code to release-2.x.y and master that does
> this), but we shouldn't HAVE to. The sane default is for for TLS 1.1 and
> 1.2 to be enabled.
> While I have some sympathy for people who care about FIPS 140-2, I feel
> like it should only factor into this decision a very small amount. For one
> thing I don't recall seeing anyone talk about Pidgin and FIPS
> certification. It's hard to determine how important this is without hearing
> from people who care about it. So I'm inclined not to give it much weight,
> since it seems silly to give a lot of weight to something that might not
> matter at all.
> Also I think we should be very selfish with our time. Aside from Tomasz
> and the 2013 summer of code students, development on Pidgin has been very
> slow. We clearly don't have a lot of development hours. I'd prefer if we
> didn't spend those hours maintaining superfluous functionality. If there
> are people who care a lot about FIPS certification then they should either
> contribute development time to maintain our nss ssl plugin or they should
> pay for GnuTLS to become FIPS certified.
> Looks like FIPS certification is mostly required by some parts of the US
> government? Or is it more widespread than that?
> I see something that implies that FIPS requires disabling SSL 3 and
> disabling non-FIPS compliant ciphers , which makes me think that all
> released versions of Pidgin aren't FIPS compliant because SSL 3 was always
> Devel mailing list
> Devel at pidgin.im
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Devel