Comment 10 for bug 302314

The problem definitely remains.

This morning, pidgin under Hardy started giving me the 'invalid certificate' error for login.live.com, asking me blindly whether or not to accept the new certificate. It showed me nothing more than the fingerprint and start/end times to make that choice.

Coincidentally, update manager showed me an update to pidgin, but even after update the error persisted. I now have:

ii libpurple0 1:2.7.0-0ubuntu1.1~pidgin1.08.04 multi-protocol instant messaging library
ii pidgin 1:2.7.0-0ubuntu1.1~pidgin1.08.04 graphical multi-protocol instant messaging client for X
ii pidgin-data 1:2.7.0-0ubuntu1.1~pidgin1.08.04 multi-protocol instant messaging client - data files
ii pidgin-otr 3.1.0-1 Off-the-Record Messaging plugin for pidgin

The error also continued after deleting the existing login.live.com certificate from within pidgin.

I initially rejected the certificate, on the basis that there might be an upstream device intercepting, logging and/or modifying the traffic.

However I was able to verify the certificate manually like this:

(1) openssl s_client -CApath /etc/ssl -connect login.live.com:443

This showed that the certificate is indeed valid and signed by a trusted CA (verify return code 0 = OK)

(2) Copy-paste the PEM certificate shown from step 1 into a new file (ll.cert)

(3) Take the fingerprint of that certificate:

openssl x509 -in ll.cert -noout -fingerprint
> SHA1 Fingerprint=C9:F2:FD:50:A2:0C:AB:4A:45:22:F9:23:E1:91:04:9E:01:F0:64:48

(4) This value matches the value shown by pidgin, so I was able to accept it safely

It's pretty ridiculous that an end-user has to go to such extremes to ensure the security of their comms, when all the machinery and the trust root needed to validate it is already present within Ubuntu.