Hi Ruud-- Thanks for the report!
On Tue 2015-06-30 06:23:37 -0400, Ruud van Melick wrote: > The debug window in Pidgin (2.10.11-1) shows: > > (12:11:26) proxy: Connected to jabber.xs4all.nl:5222. > (12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <?xml version='1.0' ?> > (12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <stream:stream > to='jabber.xs4all.nl' xmlns='jabber:client' > xmlns:stream='http://etherx.jabber.org/streams' version='1.0'> > (12:11:26) jabber: Recv (189): <?xml version='1.0' > encoding='UTF-8'?><stream:stream > xmlns:stream="http://etherx.jabber.org/streams"; xmlns="jabber:client" > from="jabber.xs4all.nl" id="****" xml:lang="en" version="1.0"> > (12:11:26) jabber: Recv (297): <stream:features><starttls > xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms > xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms></stream:features> > (12:11:26) jabber: Sending (***@jabber.xs4all.nl/Home): <starttls > xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> > (12:11:26) jabber: Recv (50): <proceed > xmlns="urn:ietf:params:xml:ns:xmpp-tls"/> > (12:11:26) nss: Handshake failed (-12173) > > That happens when I have libnss3(-1d) 2:3.19.1-2 or 2:3.19.2-1 installed > > * What exactly did you do (or not do) that was effective (or > ineffective)? > > I downgraded libnss3(-1d) to version 2:3.19-1 > > * What was the outcome of this action? > > With libnss 2:3.19-1 works normal, giving the following debug info in Pidgin: > > [...] > (12:18:22) jabber: Sending (***@jabber.xs4all.nl/Home): <starttls > xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> > (12:18:22) jabber: Recv (50): <proceed > xmlns="urn:ietf:params:xml:ns:xmpp-tls"/> > (12:18:22) nss: SSL version 3.1 using 128-bit AES with 160-bit SHA1 MAC > Server Auth: 2048-bit RSA, Key Exchange: 768-bit DHE, Compression: NULL > Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA > (12:18:22) nss: subject=CN=*.xs4all.nl,OU=Domain Control Validated - Power > Server ID,OU=See www.geotrust.com/resources/cps > (c)10,OU=GT59386789,O=*.xs4all.nl,C=NL,serialNumber=jiHNH1-2gSw60JIZI6vLZwxPRwgRSK8x > issuer=OU=Equifax Secure Certificate Authority,O=Equifax,C=US > (12:18:22) nss: subject=OU=Equifax Secure Certificate > Authority,O=Equifax,C=US issuer=OU=Equifax Secure Certificate > Authority,O=Equifax,C=US jabber.xs4all.nl is using a weak FFDHE group (with a 768 bit modulus) for their TLS connections. They need to fix this on their server; they're not offering you the secure connection you thought you were getting (see https://weakdh.org/). I'm looking for a contact at xs4all.nl to point this out to. If you know anyone there, or have an account with them, you should point them to this ticket (https://bugs.debian.org/790610) as a start. Regards, --dkg
signature.asc
Description: PGP signature
