Your message dated Thu, 8 Jan 2026 13:29:27 -0500 with message-id <caaajcmboe8pagpg0nbxva9stpgb69nlawqyrmzkmaw7v+b3...@mail.gmail.com> and subject line Re: Bug#1078468: libnss3: Fails to verify chain correctly (works on Firefox though) has caused the Debian Bug report #1078468, regarding libnss3: Fails to verify chain correctly (works on Firefox though) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1078468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078468 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libnss3 Version: 2:3.103-1 Severity: important Dear Maintainer, Something is wrong with how libnss3 is verifying chains. I first noticed this with pidgin with irc.oftc.net, but I can reproduce this without needing pidgin (hence I don't think this is a pidgin bug). Interestingly, Firefox (and I presume Thunderbird, but haven't checked this) is unaffected. To see this issue, run (I'm using Google here as I'd expect them to have the chains correctly set up, and for any breakage to be noticed really quickly, but other systems give the same error): $ vfyserv -c google.com -p 443 which gives Connecting to host google.com (addr 142.250.76.110) on port 443 Cert file cert.000 was created. PROBLEM WITH THE CERT CHAIN: CERT 0. CN=*.google.com : ERROR -8179: Peer's Certificate issuer is not recognized. CN=WR2,O=Google Trust Services,C=US Error in function PR_Write: -8179 - Peer's Certificate issuer is not recognized. OpenSSL seems to have no issues either, with $ openssl s_client -showcerts -connect google.com:443 Connecting to 142.250.204.14 CONNECTED(00000003) depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1 verify return:1 depth=1 C=US, O=Google Trust Services, CN=WR2 verify return:1 depth=0 CN=*.google.com verify return:1 being the start of the response from OpenSSL. I think this is a recent regression, but I haven't tested older versions of libnss3. I've also set this as important, given at least some clients are having no issues, but feel free to change the severity as needed. Regards James -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.10.3-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages libnss3 depends on: ii libc6 2.39-6 ii libnspr4 2:4.35-1.1+b1 ii libsqlite3-0 3.46.0-1 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 2.14.14-1
--- End Message ---
