After automatically upgrading Xubuntu library libnss3 to version 2:3.21-0ubuntu0.15.10.1 some apps stop working

QtWebEngine 5.6.0 which uses nss for ssl connections is unable to connect to Google web sites when using this version of libnss3. This was tested with Qt Demo Browser using Qt Open Source. I request that nss 3.23 be tested for possible use.

This is a bug in QtWebEngine.

The file src/3rdparty/chromium/net/third_party/nss/patches/chacha20poly1305.patch contains the following:

+/* This is a bodge to allow this code to be compiled against older NSS
+ * headers. */
+#ifndef CKM_NSS_CHACHA20_POLY1305
+#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26)

Unfortunately, CKM_NSS + 26 got used for something else in nss 3.21:
#define CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (CKM_NSS + 26)

In nss 3.23, we now have:
#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28)

This means QtWebEngine isn't using the right value.

To fix this, QtWebEngine needs to be patched to use the proper value of CKM_NSS + 28 in the following files:
src/3rdparty/chromium/net/socket/ssl_client_socket_nss.cc
src/3rdparty/chromium/net/third_party/nss/patches/chacha20poly1305.patch
src/3rdparty/chromium/net/third_party/nss/ssl/ssl3con.c
src/3rdparty/chromium/third_party/nss/patches/nss-chacha20-poly1305.patch
src/3rdparty/chromium/third_party/nss/nss/lib/util/pkcs11n.h

Once that is done and QtWebEngine is rebuilt, I believe it will be compatible with nss 3.21 and 3.23.

I am closing this bug since the product using QtWebEngine is not in Ubuntu and there is no further action to be done.