[fixed upstream] SSL handshake fails after nss upgrade

General system Bug reports
#1

(I have resolved this problem on my own, but I report it here in case anyone else experiences a similar problem.)

After a recent system upgrade, pidgin displays this error while connecting to an XMPP server:

Failed to complete SSL handshake

The culprit is this upgrade:

upgraded nss (3.57-1 → 3.58-1)

I resolved the problem by temporarily downgrading nss to the previous version:

sudo pacman -U /var/cache/pacman/pkg/nss-3.57-1-x86_64.pkg.tar.zst

Then in /etc/pacman.conf I added this line:

IgnorePkg = nss

Confirming that upgrades of nss are suspended, pacman reports:

nss: ignoring package upgrade (3.57-1 => 3.58-1)

pidgin now connects normally to the XMPP server.

I’ll wait for a newer version of nss and try the upgrade again.

2 Likes
#2

This sounds like pidgin needs a rebuild against the new nss .

1 Like
#3

hm:
2020-10-22_13-59

but:

2 Likes
#4

Exactly:
image

This means that Pidgin was built against an older version of nss .

Here are some rebuilt packages:

Removed 'cos they don’t help. :stuck_out_tongue_winking_eye:

(signed by me)

2 Likes
#5

Thank you for providing these builds. Unfortunately, they did not resolve the problem.

  • I upgraded again to nss 3.58-1.

  • I installed pidgin 2.14.1-3.0 from your package.

  • I installed libpurple 2.14.1-3.0 from your package.

  • I did not install finch from your package, because finch was not already on my computer.

  • I rebooted for good measure.

Running pidgin and attempting a connection to an XMPP server, the SSL handshake failed as before.

Downgrading again to nss 3.57-1 (but keeping your packages), pidgin's connection to the XMPP server worked without problem.

With nss 3.57-1 still installed, I have reverted to pidgin 2.14.1-3 and libpurple 2.14.1-3 from the Arch repos, and the connection to the XMPP server is still working without problem.

1 Like
#6

Worth trying, and at least it’s ruled out as the cause.

1 Like
#7

@loqs has uploaded a patch to the bug report. Let me know if you’d like a package to try this out. Otherwise, it looks like it will be fixed fairly soon.

https://bugs.archlinux.org/task/68357?getfile=19342

3 Likes
#8

Thanks for the offer to create a new build. However, as I’m able to use pidgin with a temporarily downgraded nss, and the release of the patched nss will be soon, I’m happy to wait.

1 Like
#9

I’ve upgraded to nss 3.58-2, and the problem seems to have been resolved. I’ll mark this topic as solved.

(I was waiting for a point-version update, to nss 3.58.1-1, but nss 3.58-2 fixes the problem for me. There must be something I don’t understand about versioning.)

(By the way, Manjaro stable users received the buggy nss 3.58-1 yesterday. I tested, to be sure, and Manjaro users now experience the bug I reported above. I’m happy to be using EndeavourOS, which gave me the bug-free version on the same day that Manjaro users received the buggy version. Sometimes, holding back updates works for users, and sometimes it does not.)

2 Likes