regarding pidgin's support for NSS

David Woodhouse dwmw2 at
Tue Sep 16 18:34:13 EDT 2014

On Tue, 2014-09-16 at 22:34 +0200, Kai Engert wrote:
> Update, I just found a bug that has filed just today, where someone
> complains about this exact problem with the latest root CA list (version
> 2.1, as shipped with Firefox 32, NSS 3.16.4), and being unable to
> connect using gnutls-cli.
> I've added a comment explaining the situation.


I also asked Nikos about it, since I don't quite understand *how* we can
'make up' a viable trust chain if the specified one isn't valid (as I
commented in the bug).

He asked me to forward the following response since I'm not subscribed
to the list:

On Tue, 2014-09-16 at 23:31 +0200, Nikos Mavrogiannopoulos wrote:
> > What happens if the old Verisign root gets removed/untrusted?
> > GnuTLS insists that it must follow the chain sent by the server,
> > cannot
> > find a trusted root for the topmost intermediate, and rejects the
> > server
> > certificate. Error, no connection.
> Hello Kai,
>  As you already know this is because the TLS protocol mandates that. The
> reason TLS implementations interoperate is because they follow a common
> protocol. NSS does not follow the protocol and in that particular case
> it seems it worked out, as by ignoring the whole chain sent by the
> server is able to construct one that works.
> > If you go to GnuTLS, you will suffer pain during future phasing out of
> > old, weak, no longer supported CA certificates, by experiencing
> > failure
> > in connectivity. Or unless GnuTLS gets fixed, which I have no idea
> > whether that will happen.
> To be honest I cannot be partial when discussing which TLS library to
> use and I'll leave that to people who have used both libraries to
> decide. However, claiming that if you remove CA certificates that
> popular web sites use, gnutls breaks, is plain FUD. As you know it
> breaks any TLS implementation (except NSS which didn't follow the
> protocol). In any case, even if you consider that an exceptional issue,
> it is already solved in gnutls' 3.3.x branch, as it reconstructs such
> chains if needed, so I wouldn't worry much.
> regards,
> Nikos


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the Devel mailing list