Bug#972713: libnss3: Handshake failed (-12251) with Pidgin since 2:3.58-1
I had the same problem, as also discussed in https://bugs.archlinux.org/task/68357 The workaround in that thread worked for me as well. (Using NSS Preferences plugin to change maximum TLS version to 1.2.) It seems something is causing issues if TLS 1.3 is permitted, there is some discussion of proposed patches.
Bug#972713: libnss3: Handshake failed (-12251) with Pidgin since 2:3.58-1
Package: libnss3 Version: 2:3.58-1 Followup-For: Bug #972713 Dear Maintainer, I can confirm, Pidgin from Debian/testing as today of 29, Oct 2020, won't connect to any SSL/TLS service. I get the following error: (10:56:34) jabber: Recv (50): (10:56:34) nss: Handshake failed (-12251) (10:56:34) connection: Connection error on 0x562eeeab97a0 (reason: 5 description: Échec de la poignée de main SSL) running Pidgin with the debug option (-d). The server side, a Prosody server running on Debian/testing too, says this: Oct 29 10:56:34 c2s560b80857610 infoClient connected Oct 29 10:56:34 c2s560b80857610 infoClient disconnected: ssl handshake error: sslv3 alert unexpected message As I found this bug report, which is related to my problem, NSS seems to be the issue here. Thank you for reading this. Sincerely, Adrian Kieß -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr:de:en:ru Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnss3 depends on: ii libc6 2.31-4 ii libnspr4 2:4.29-1 ii libsqlite3-0 3.33.0-1 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information
Bug#972713: libnss3: Handshake failed (-12251) with Pidgin since 2:3.58-1
Package: libnss3 Version: 2:3.58-1 Followup-For: Bug #972713 I'm seeing the same problem when connecting to a stock buster ejabberd server with a Let's Encrypt certificate and no special TLS configuration. Something definitely changed between 2:3.56-1 and 2:3.58-1 and I'm dubious it's poor TLS configuration (although it's possible it's related to versions of TLS libraries). ejabberd appears to use the buster OpenSSL libssl for its side of the connection. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'unstable-debug'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-1-amd64 (SMP w/12 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnss3 depends on: ii libc6 2.31-4 ii libnspr4 2:4.29-1 ii libsqlite3-0 3.33.0-1 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information
Bug#972713: libnss3: Handshake failed (-12251) with Pidgin since 2:3.58-1
forwarded 972713 https://bugzilla.mozilla.org/1672703 thanks On Thu, 2020-10-22 at 16:41 -0600, Kevin Locke wrote: > Downgrading to 2:3.56-1 resolves the issue. I have opened > https://bugzilla.mozilla.org/1672855 to investigate the issue with NSS > upstream. Somehow I had missed that https://bugzilla.mozilla.org/1672703 was already open to track this issue. A fix is in development on that issue. Cheers, Kevin
Bug#972713: libnss3: Handshake failed (-12251) with Pidgin since 2:3.58-1
Package: libnss3 Version: 2:3.58-1 Severity: important Tags: upstream Forwarded: https://bugzilla.mozilla.org/1672855 X-Debbugs-Cc: ste.calleg...@tiscali.it Dear Maintainer, After installing libnss3 2:3.58-1, pidgin is unable to connect to (any?) services using TLS. The issue occurs on all services I tested, including: IRC (chat.freenode.net), XMPP (talk.google.com), Discord (gateway.discord), and AIM (slogin.oscar.aol.com). Relevant output from pidgin --debug: nss: Handshake failed (-12251) connection: Connection error on 0x55f37b4e6880 (reason: 5 description: SSL Handshake Failed) account: Disconnecting account m...@example.com (0x55f37a78c4b0) connection: Disconnecting connection 0x55f37b4e6880 connection: Destroying connection 0x55f37b4e6880 Downgrading to 2:3.56-1 resolves the issue. I have opened https://bugzilla.mozilla.org/1672855 to investigate the issue with NSS upstream. Cheers, Kevin Note: Although the "Handshake failed" is similar to https://bugs.debian.org/790610, I think this is a different issue caused by a specific commit rather than the weak FFDHE group causing the issue in that bug. -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (990, 'testing-debug'), (990, 'testing'), (500, 'unstable-debug'), (500, 'unstable'), (101, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnss3 depends on: ii libc6 2.31-4 ii libnspr4 2:4.28-1 ii libsqlite3-0 3.33.0-1 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information
