upgrade from nss 3.56 to 3.58 breaks purple-discord: nss: Handshake failed (-12251)

[pabs3]

After upgrading from nss 3.56 to 3.58, purple-discord can no longer connect to Discord due to a nss: Handshake failed (-12251) error. According to the Mozilla nss docs this means that "SSL received a malformed Change Cipher Spec record.". It seems other folks have the same problem but with XMPP, but my XMPP accounts don't have the same problem.

(14:06:02) account: Connecting to account <removed>.
(14:06:02) connection: Connecting. gc = 0x55e0caa236d0
(14:06:02) dnsquery: Performing DNS lookup for gateway.discord.gg
(14:06:02) signals: Signal data for chat-conversation-typing not found!
(14:06:02) dns: Successfully sent DNS request to child 380080
(14:06:02) dns: Got response for 'gateway.discord.gg'
(14:06:02) dnsquery: IP resolved for gateway.discord.gg
(14:06:02) proxy: Attempting connection to 162.159.135.234
(14:06:02) proxy: Connecting to gateway.discord.gg:443 with no proxy
(14:06:02) proxy: Connection in progress
(14:06:02) proxy: Connecting to gateway.discord.gg:443.
(14:06:02) proxy: Connected to gateway.discord.gg:443.
(14:06:02) nss: Handshake failed  (-12251)
(14:06:02) connection: Connection error on 0x55e0caa236d0 (reason: 0 description: Couldn't connect to gateway)
(14:06:02) account: Disconnecting account <removed> (0x55e0c96c6c70)
(14:06:02) connection: Disconnecting connection 0x55e0caa236d0
(14:06:02) connection: Destroying connection 0x55e0caa236d0

[pabs3]

I used the Pidgin NSS Preferences plugin to set the minimum TLS version to 1.0, set the maximum TLS version to 1.3 and enable all the ciphers that were disabled, but this did not fix the issue.

[pabs3]

The NSS release notes: 3.57 3.58

[pabs3]

I used the Pidgin NSS Preferences plugin to disable TLS version 1.3 and this fixed the issue.

[pabs3]

I recompiled NSS 3.58 with a revert for the fix for CVE-2020-25648 and that also fixed the issue.

[pabs3]

I've filed a bug against NSS asking the author of the patch for help with this issue.

[Penaz91]

nss 3.57 seems to have been working okay for me, the update to 3.58 broke the plugin, if this helps with troubleshooting.

[Iiridayn]

Also impacts slack-libpurple - dylex/slack-libpurple#129. Might be an issue in Pidgin?

[pabs3]

It is looking like a bug in NSS, apparently it isn't compliant with the spec. The NSS developers are working on debugging and fixing it.

…

-- bye, pabs https://bonedaddy.net/pabs3/

[pabs3]

Mozilla developers have fixed this issue in NSS. I'm going to test their patch now.

[pabs3]

I have confirmed this issue is fixed by the patch added by Mozilla folks. Once there is a new release and the release reaches the distros, then I think this issue can be closed.

[EionRobb]

Making the assumption that people are unable to upgrade nss (eg, no new package provided or don't update very often) - is there something that can be done in the plugin to trigger the 'compat' mode that they were talking about in the Mozilla thread?

[pabs3]

NSS 3.58 is relatively new, so presumably updating to 3.58.1 or 3.59 will be fine for those who have already updated to 3.58. The compat mode would have to be enabled in pidgin/libpurple, since that is the part of the code that uses NSS, not purple-discord.

…

-- bye, pabs https://bonedaddy.net/pabs3/

[pabs3]

Mozilla have released NSS 3.59 containing the fix and that has reached Debian and other distros.

[pabs3]

@EionRobb I'll leave it up to you how long you want to keep this open so folks experiencing it can see it, but from my point of view it can be closed now.