regarding pidgin's support for NSS

Kai Engert kaie at
Tue Sep 16 15:54:23 EDT 2014

(cannot reply in other thread, just subscribed now)

datallah told me that you consider to drop NSS.

I personally think that NSS is the better library, with more complete
feature set.

An area where NSS is better is when finding a trust path for server

Just to give you an example, the upstream Mozilla CA list is currently
removing old 1024 bit root CA certificates.

Unfortunately, many thousand servers are configured to send out multiple
intermediate certificates, where the topmost intermediate points to one
of the old, removed Verisign CA 1024-bit certificates. Verisign/Symantec
said there are still too many certificates used by customers, valid for
another few years, it's unrealistic to expect that all customers will
reconfigure their servers.

What happens if the old Verisign root gets removed/untrusted?

GnuTLS insists that it must follow the chain sent by the server, cannot
find a trusted root for the topmost intermediate, and rejects the server
certificate. Error, no connection.

NSS is smarter. If it cannot find a trust chain using the topmost
intermediate, it will look at the second-top-most intermediate. And that
will succeeded, because a newer CA certificate has been added to the
root CA list, which will match, and the connections works.

If you go to GnuTLS, you will suffer pain during future phasing out of
old, weak, no longer supported CA certificates, by experiencing failure
in connectivity. Or unless GnuTLS gets fixed, which I have no idea
whether that will happen.


More information about the Devel mailing list