GnuTLS preferable to, and/or safer than, NSS?

Ethan Blanton elb at
Wed Sep 5 09:49:42 EDT 2012

Evangelos Foutras spake unto us the following wisdom:
> Would it be better for users' safety to use GnuTLS for SSL support

Not to our knowledge, no.

> The reason I'm asking is a report I got today [1], which links to a
> ticket on Pidgin's tracker [2]. This ticket points to certificate
> verification code which has been disabled using preprocessor
> directives. However, Pidgin appears to be doing its own verification
> by calling purple_certificate_verify() from within
> ssl_nss_handshake_cb().

The person who filed that ticket seems to have flown off the handle
without really understanding the situation.  Our understanding is that
the certificate verification using both GnuTLS and NSS is
substantially similar.

> If someone is knowledgeable in the SSL support code, it would be
> helpful for me to know the main advantages/disadvantages of the GnuTLS
> vs NSS implementations in Pidgin and which one is preferable. :)

This has changed over the years, but mostly depends on the
correctness, completeness, and stability of the GnuTLS and NSS
libraries themselves on various distributions.  At the moment, I
believe they are both pretty stable and usable.  I think there's a
stream restarting bug in GnuTLS that strikes some IRC users (although
I may have that backward), but I'm unaware of any serious flaws in
either library.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the Packagers mailing list