Many distributions, among which Fedora in 23 & 24, and Arch Linux, have recently shipped NSS 3.27, sometimes packaged as 3.27.0, or even 3.27.1. This release may just have triggered some confusion about disabling, enabling, and defaulting to or not, the NSS implementation of TLS version 1.3 (currently in draft). Fun!
We’ve received reports from Thunderbird users, and there was a vague mention of iOS 10-based mobile devices, that systems updated to NSS version 3.27 or over would not be able to connect to Guam — the error messages often referring to an insufficient security level.
Initially, I looked at what changed in NSS 3.27, and find to that in order to disable the use of and/or the defaulting to TLS 1.3, not only does the (often) existing environment variable of NSS_DISABLE_TLS_1_3 need be non-zero, there’s a new environment variable to be taken in to account, called NSS_ENABLE_TLS_1_3 — which would need to be set to zero. To further complicate matters, these environment variables are taking in to account at build time, and have no effect in run time. Having shown that unambiguously resolving the confusion that appears to also exists upstream resolves the original issue, I was happy.
We ended up looking at Erlang for it, too — you can’t downgrade NSS on an iOS-based mobile device — and when Enterprise customers, and partners and their customers get involved, well, you know … cogs start turning.
In attempting to find whether or not some OpenSSL API usage changes had occurred in Erlang upstream, I could not find anything. Double-checking the configuration used on our own systems, and configuration we recommend our customers use, I could not find anything amiss either.
I was left with two options; test the update to OTP version 18.3.4.4 and see what that does, or upgrade the entire stack on top of OTP 19.1.4 and see what that breaks.
I think I’ve found that OTP version 18.3.4.4 resolves the issue. I don’t know why precisely (I have not found the commit(s) related to the issue), but it seems to resolve the issue.
So, if you support clients, do not update or upgrade them to NSS 3.27 until after you have the opportunity to consume the updates to Kolab forthcoming!
Thanks for your patience.
EDIT: Clarify these environment variables are for the build time, not the run time.
kanarip 
One thought on “Heads-up on NSS 3.27, Guam”
Comments are closed.