nss vs gnutls - how does Pidgin choose?

Michael McConville mmcconville at mykolab.com
Mon Jul 20 15:40:27 EDT 2015


On Mon, Jul 20, 2015 at 02:51:56PM -0400, Kevin Kretz wrote:
> I've got Openfire XMPP servers running on two different networks.
> Today I noticed that linux users on one network were getting an SSL
> Handshake error when trying to connect Pidgin to the Openfire server.
> 
> I also saw that mozilla-nss packages were updated over the weekend.
> Our linux systems have both mozilla-nss and gnutls libraries
> installed; moving purple's ssl-nss.so library seemed to make Pidgin
> instead use gnutls, and SSL connections worked.

Interesting, I usually hear this the other way around (i.e. there are
usually strange failures in GnuTLS).

> The weird part: the other network has identical versions of linux,
> openfire, pidgin (OpenSUSE's 2.10.10), and the same recently updated
> mozilla-nss. But when I tested pidgin on a few hosts on *that*
> network, it worked.  When I moved the ssl-gnutls.so file on one of
> those hosts, I got the same SSL Handshake error that the users on the
> other network saw. If I moved both ssl-gnutls.so and ssl-nss.so,
> Pidgin reported that there was no SSL available (as expected).  So on
> one network, Pidgin appears to prefer nss - and on the other, gnutls.

> How does Pidgin/purple choose which to use if both are available?

If I recall correctly:

	* GnuTLS is the default on Linux (can be changed with configure
	  flags)
	* NSS is the default on Windows
	* both get compiled in if they're available

Looking at configure.ac should answer this more specifically, if you're
familiar with autoconf:

	https://hg.pidgin.im/pidgin/main/file/136a5e95a1ad/configure.ac

I'm not sure what's causing the difference you're seeing.



More information about the Support mailing list