nss vs gnutls - how does Pidgin choose?

Kevin Kretz kevin at rentec.com
Mon Jul 20 15:55:18 EDT 2015

Sorry, top-replying web-based e-mail.

Thanks for the info.  All the Pidgin instances came from the same RPM so their compile options are the same.  Really baffling.  If I figure it out I'll follow up.

----- Original Message -----
From: "Michael McConville" <mmcconville at mykolab.com>
To: "Kevin Kretz" <kevin at rentec.com>
Cc: support at pidgin.im
Sent: Monday, July 20, 2015 3:40:27 PM
Subject: Re: nss vs gnutls - how does Pidgin choose?

On Mon, Jul 20, 2015 at 02:51:56PM -0400, Kevin Kretz wrote:
> I've got Openfire XMPP servers running on two different networks.
> Today I noticed that linux users on one network were getting an SSL
> Handshake error when trying to connect Pidgin to the Openfire server.
> I also saw that mozilla-nss packages were updated over the weekend.
> Our linux systems have both mozilla-nss and gnutls libraries
> installed; moving purple's ssl-nss.so library seemed to make Pidgin
> instead use gnutls, and SSL connections worked.

Interesting, I usually hear this the other way around (i.e. there are
usually strange failures in GnuTLS).

> The weird part: the other network has identical versions of linux,
> openfire, pidgin (OpenSUSE's 2.10.10), and the same recently updated
> mozilla-nss. But when I tested pidgin on a few hosts on *that*
> network, it worked.  When I moved the ssl-gnutls.so file on one of
> those hosts, I got the same SSL Handshake error that the users on the
> other network saw. If I moved both ssl-gnutls.so and ssl-nss.so,
> Pidgin reported that there was no SSL available (as expected).  So on
> one network, Pidgin appears to prefer nss - and on the other, gnutls.

> How does Pidgin/purple choose which to use if both are available?

If I recall correctly:

	* GnuTLS is the default on Linux (can be changed with configure
	* NSS is the default on Windows
	* both get compiled in if they're available

Looking at configure.ac should answer this more specifically, if you're
familiar with autoconf:


I'm not sure what's causing the difference you're seeing.

More information about the Support mailing list