Pidgin not using existing root TLS/SSL certificates for validation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Pidgin |
Fix Released
|
Unknown
|
|||
pidgin (Ubuntu) |
Incomplete
|
Low
|
Unassigned | ||
Bug Description
Binary package hint: pidgin
After upgrading to Pidgin 1:2.4.1-1ubuntu2.2 for Ubuntu 8.04.1, attempting to connect to Google talk or MSN Messenger results in Pidgin asking me to verify that the SSL certificates provided are valid. While it is good that Pidgin is not blindly accepting invalid certificates anymore, some of the supposed invalid certificates are apparently issued by root certificates that are provided by the ca-certificates package. It would be an improvement if Pidgin had access to some root certificates to validate against so that users do not have to manually accept every certificate.
I did a bit of Googling and found a Debian bug (http://
Below I have provided descriptions of what I expected to happen and what actually happens when I try to connect to Google Talk and MSN Messenger via Pidgin 1:2.4.1-1ubuntu2.2.
---
When connecting to Google Talk:
Expected behaviour: able to connect without any certificate warnings
Actual behaviour: when attempting to connect, I receive the following prompt (buttons in brackets):
Accept certificate for talk.google.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
Workaround: since Pidgin is looking for "etc/ssl/certs" instead of "/etc/ssl/certs", and since Pidgin's current working directory when launched from the applications menu is the user's home directory, if I create a symlink from ~/etc to /etc then Pidgin connects without asking me to validate the certificate (I assume this is due to it being able to validate the certificate).
---
When connecting to MSN Messenger:
Expected behaviour: able to connect without any certificate warnings
Actual behaviour: when attempting to connect, I receive the following prompt (buttons in brackets):
Accept certificate for nexus.passport.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
Behaviour with the above workaround: after creating a symlink from "~/etc" to "/etc", I get the following prompt instead:
Accept certificate for login.live.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
It appears that with the symlink workaround, Pidgin is able to validate the certificate for nexus.passport.com, but not for login.live.com. There exists a closed Pidgin bug (http://
description: | updated |
Changed in pidgin: | |
status: | Unknown → Fix Released |
Changed in pidgin (Ubuntu): | |
importance: | Undecided → Low |
As an aside, if someone else who is affected by this bug attempts the workaround I provided in the bug description to connect to Google Talk, and Pidgin warns that "the certificate presented by 'talk.google.com' claims to be from 'gmail.com' instead", you might be connecting to incorrect (obsolete?) ports. Go to Accounts->Manage, select your Google Talk account and click "Modify", and on the "Advanced" tab, and try the following settings (they worked for me):
Check "Require SSL/TLS"
Check "Force old (port 5223) SSL"
Uncheck "Allow plaintext auth over unencrypted streams"
Uncheck "Use GSSAPI (Kerberos v5) for authentication"
Set the "Connect port" to 443
Set the "Connect server" to talk.google.com
I suppose this comment doesn't relate to this bug other than that I ran into the problem described in this comment while trying to work around the problem described by this bug. I hope it helps someone else. Sorry if this is the wrong place to post such a comment.