Let's drop support for NSS!

Elliott Sales de Andrade qulogic at pidgin.im
Sun Sep 14 15:22:28 EDT 2014 

A few years ago, I might have pointed to Fedora's efforts to standardize on
NSS. Nowadays, I'm not so sure whether that's one of their goals or not.

That being said, I wonder why we can't just use the TLS support in GLib? Do
we just not depend on a new enough version? Does it not provide everything
we need?

--
Elliott
On Sep 14, 2014 1:36 PM, "Mark Doliner" <mark at kingant.net> wrote:

> Another strike against NSS:
> - TLS 1.1 and 1.2 aren't enabled by default. It's easy for us to enable
> them (and I recently committed code to release-2.x.y and master that does
> this), but we shouldn't HAVE to. The sane default is for for TLS 1.1 and
> 1.2 to be enabled.
>
> While I have some sympathy for people who care about FIPS 140-2, I feel
> like it should only factor into this decision a very small amount. For one
> thing I don't recall seeing anyone talk about Pidgin and FIPS
> certification. It's hard to determine how important this is without hearing
> from people who care about it. So I'm inclined not to give it much weight,
> since it seems silly to give a lot of weight to something that might not
> matter at all.
>
> Also I think we should be very selfish with our time. Aside from Tomasz
> and the 2013 summer of code students, development on Pidgin has been very
> slow. We clearly don't have a lot of development hours. I'd prefer if we
> didn't spend those hours maintaining superfluous functionality. If there
> are people who care a lot about FIPS certification then they should either
> contribute development time to maintain our nss ssl plugin or they should
> pay for GnuTLS to become FIPS certified.
>
> Looks like FIPS certification is mostly required by some parts of the US
> government? Or is it more widespread than that?
>
> I see something that implies that FIPS requires disabling SSL 3 and
> disabling non-FIPS compliant ciphers [1], which makes me think that all
> released versions of Pidgin aren't FIPS compliant because SSL 3 was always
> enabled.
>
> [1]
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation#How_does_this_affect_Firefox_users.3F
>
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/pipermail/devel/attachments/20140914/363f0880/attachment.html>

More information about the Devel mailing list