| 2008-11-26 07:29:43 |
Bryan C |
description |
Binary package hint: pidgin
After upgrading to Pidgin 1:2.4.1-1ubuntu2.2 for Ubuntu 8.04.1, attempting to connect to Google talk or MSN Messenger results in Pidgin asking me to verify that the SSL certificates provided are valid. While it is good that Pidgin is not blindly accepting invalid certificates anymore, some of the supposed invalid certificates are apparently issued by root certificates that are provided by the ca-certificates package. It would be an improvement if Pidgin had access to some root certificates to validate against so that users do not have to manually accept every certificate.
I did a bit of Googling and found that for Debian bug 492434 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434) it was noted that Pidgin 2.4.1 does not look in "/etc/ssl/certs" for certificates - it looks in "etc/ssl/certs" (a relative path) instead. Later versions of Pidgin apparently support a "--with-system-ssl-certs" configure option, but the approach taken for that Debian bug was to apply a patch to fix the hardcoded path (see http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=32;filename=debian-ca-certs.patch;att=1;bug=492434).
Below I have provided descriptions of what I expected to happen and what actually happens when I try to connect to Google Talk and MSN Messenger via Pidgin 1:2.4.1-1ubuntu2.2.
---
When connecting to Google Talk:
Expected behaviour: able to connect without any certificate warnings
Actual behaviour: when attempting to connect, I receive the following prompt (buttons in brackets):
Accept certificate for talk.google.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
Workaround: since Pidgin is looking for "etc/ssl/certs" instead of "/etc/ssl/certs", and since Pidgin's current working directory when launched from the applications menu is the user's home directory, if I create a symlink from ~/etc to /etc then Pidgin connects without asking me to validate the certificate (I assume this is due to it being able to validate the certificate).
---
When connecting to MSN Messenger:
Expected behaviour: able to connect without any certificate warnings
Actual behaviour: when attempting to connect, I receive the following prompt (buttons in brackets):
Accept certificate for nexus.passport.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
Behaviour with the above workaround: after creating a symlink from "~/etc" to "/etc", I get the following prompt instead:
Accept certificate for login.live.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
It appears that with the symlink workaround, Pidgin is able to validate the certificate for nexus.passport.com, but not for login.live.com. There exists a closed Pidgin bug (http://developer.pidgin.im/ticket/7002) that claims that login.live.com is not accepted because the Ubuntu ca-certificates package is missing some root certificates that Pidgin supplies (but are apparently not distributed with Ubuntu's Pidgin package); Firefox, however, accepts the certificate presented by https://login.live.com... I'm not sure what that would imply. |
Binary package hint: pidgin
After upgrading to Pidgin 1:2.4.1-1ubuntu2.2 for Ubuntu 8.04.1, attempting to connect to Google talk or MSN Messenger results in Pidgin asking me to verify that the SSL certificates provided are valid. While it is good that Pidgin is not blindly accepting invalid certificates anymore, some of the supposed invalid certificates are apparently issued by root certificates that are provided by the ca-certificates package. It would be an improvement if Pidgin had access to some root certificates to validate against so that users do not have to manually accept every certificate.
I did a bit of Googling and found a Debian bug (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434) notes that Pidgin 2.4.1 does not look in "/etc/ssl/certs" for certificates - it looks in "etc/ssl/certs" (a relative path) instead. Later versions of Pidgin apparently support a "--with-system-ssl-certs" configure option, but the approach taken for that Debian bug was to apply a patch to fix the hardcoded path (see http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=32;filename=debian-ca-certs.patch;att=1;bug=492434).
Below I have provided descriptions of what I expected to happen and what actually happens when I try to connect to Google Talk and MSN Messenger via Pidgin 1:2.4.1-1ubuntu2.2.
---
When connecting to Google Talk:
Expected behaviour: able to connect without any certificate warnings
Actual behaviour: when attempting to connect, I receive the following prompt (buttons in brackets):
Accept certificate for talk.google.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
Workaround: since Pidgin is looking for "etc/ssl/certs" instead of "/etc/ssl/certs", and since Pidgin's current working directory when launched from the applications menu is the user's home directory, if I create a symlink from ~/etc to /etc then Pidgin connects without asking me to validate the certificate (I assume this is due to it being able to validate the certificate).
---
When connecting to MSN Messenger:
Expected behaviour: able to connect without any certificate warnings
Actual behaviour: when attempting to connect, I receive the following prompt (buttons in brackets):
Accept certificate for nexus.passport.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
Behaviour with the above workaround: after creating a symlink from "~/etc" to "/etc", I get the following prompt instead:
Accept certificate for login.live.com?
The root certificate this one claims to be issued by is unknown to Pidgin.
(View Certificate...) (Reject) (Accept)
It appears that with the symlink workaround, Pidgin is able to validate the certificate for nexus.passport.com, but not for login.live.com. There exists a closed Pidgin bug (http://developer.pidgin.im/ticket/7002) that claims that login.live.com is not accepted because the Ubuntu ca-certificates package is missing some root certificates that Pidgin supplies (but are apparently not distributed with Ubuntu's Pidgin package); Firefox, however, accepts the certificate presented by https://login.live.com... I'm not sure what that would imply. |
|
