pidgin does not connect to msn, certificate error

Bug #676972 reported by latrom on 2010-11-18
192
This bug affects 46 people
Affects Status Importance Assigned to Milestone
Pidgin
Fix Released
Unknown
pidgin (Ubuntu)
Medium
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned

Bug Description

When attempting to connect to MSN, Pidgin fails to load the contact list, citing an issue with the SSL certificate of omega.contacts.msn.com. This happened due to Microsoft renewing both the omega.contacts.msn.com certificate, as well as their certification authority certificate "Microsoft Secure Server Authority". Hence, the certificate in /usr/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem is outdated.

In addition, the transition from the old to the new certificate is not complete, only half-done, so a simple workaround of updating the certificate would not work. Both the old and new certificates have to be included. Debdiffs for natty and maverick are attached.

TEST CASE:
1. Start Pidgin
2. Click Tools->Certificates
3. Delete the omega.contacts.msn.com certificate
4. Try connecting to a MSN messenger account
5. If it fails with "Unable to validate certificate", then this bug is present.

Solution :
While waiting for a Pidgin update from Ubuntu, some people can apply this:
http://developer.pidgin.im/wiki/MSNCertIssue
Tested original on Lucid. Should be OK on all versions.

Original@: http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html
Also: http://blog.andreineculau.com/2010/11/pidgin-and-msn-certificate-error-for-omega-contacts-msn-com/

latrom (moertael) wrote :
Kamus (kamus) wrote :

I have linked this report to upstream tracker, anyone can follow status of this issue at http://developer.pidgin.im/ticket/12906

Changed in pidgin (Ubuntu):
importance: Undecided → Medium
Changed in pidgin:
status: Unknown → Invalid
Kamus (kamus) wrote :

according to upstream comments:

"This will be fixed sooner or later, all servers just need to be updated."

Changed in pidgin (Ubuntu):
status: New → Confirmed

Workaround pushed upstream; http://developer.pidgin.im/viewmtn/revision/info/cd236baf6d00f3e1561a40974ce1828b793ea187

Commit message:
Add new intermediate certificates that Microsoft have started using to
sign the SSL cert for omega.contacts.msn.com, because their server
admins are incompetent and are still supplying the old intermediates
on the wire.
References #12906

It would probably be nice to add a patch adding the two ca certificates added in the revision to the ubuntu packages.

I can confirm that manually copying them to /usr/share/purple/ca-certs/ solves the problem.

Chow Loong Jin (hyperair) wrote :

Here's a debdiff against Natty's version.

Chow Loong Jin (hyperair) wrote :

And here's a debdiff against maverick-security for an SRU into Maverick. I reckon Lucid is probably affected as well, but I can't test.

Changed in pidgin (Ubuntu):
status: Confirmed → Triaged
Changed in pidgin:
status: Invalid → New
description: updated
Felix Geyer (debfx) wrote :

New debdiff that adds a fix for bug #675903 (icq connection error) to the debdiff from comment #7:

pidgin (1:2.7.3-1ubuntu3.2) maverick-proposed; urgency=low

  [ Chow Loong Jin ]
  * debian/patches/workaround-msn-ssl-failure.patch: Workaround SSL
    connectivity issues with MSN (LP: #676972)

  [ Felix Geyer ]
  * debian/patches/62_icq_server_changes.patch: Adapt to ICQ server changes.
  * debian/patches/63_icq_server_migration.patch: Migrate existing accounts to
    the new login server names. (LP: #675903)

 -- Felix Geyer <email address hidden> Sat, 20 Nov 2010 13:37:00 +0100

Roel Huybrechts (rulus) wrote :

I can confirm that this bug affects Lucid as well.

agent 8131 (agent-8131) wrote :

This looks like the bug I experienced. I followed the steps outlined here to fix it:

http://blog.andreineculau.com/2010/11/pidgin-and-msn-certificate-error-for-omega-contacts-msn-com/

Ross Ashley (brashley46) wrote :

agent 8131's fix worked for me, except that I could not copy the two .pem files into the ca-certs folder named there (as I am not sure of the commands needed to copy them in as root.) So I ended up just putting the omega.contacts.msn.com file into the ~/.purple/certificates/x509/tls_peers folder, replacing the old one, and enabled msn messenger in pidgin again ... that is working for now. Knock wood.

Martin Pitt (pitti) wrote :

I'm sponsoring Felix' maverick debdiff and Chow's natty debdiff.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.7.5-1ubuntu3

---------------
pidgin (1:2.7.5-1ubuntu3) natty; urgency=low

  * debian/patches/13_sounds_and_timers.patch: Squash debian-changes-*
    patch onto this one, was presumably split up by accident
  * debian/patches/workaround-msn-ssl-failure.patch: Workaround SSL
    connectivity issues with MSN (LP: #676972)
 -- Chow Loong Jin <email address hidden> Fri, 19 Nov 2010 20:49:42 +0800

Changed in pidgin (Ubuntu):
status: Triaged → Fix Released

The debian/patches/workaround-msn-ssl-failure.patch fix will be
awailable under Lucid and Maverick update?

Attila

Accepted pidgin into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pidgin (Ubuntu Maverick):
status: New → Fix Committed
tags: added: verification-needed

On Monday 22,November,2010 04:51 PM, Attila Hammer wrote:
> The debian/patches/workaround-msn-ssl-failure.patch fix will be
> awailable under Lucid and Maverick update?

Maverick, yes. Nobody's done it for Lucid yet.

--
Kind regards,
Loong Jin

Attila Hammer (hammera) wrote :

Sorry the possible beginner question: How can possible I help testing
this patch under Lucid?
Enough if I downloading actual Lucid awailable Pidgin source and try
rebuilding the package if I put the patch under debian/patches directory
and looking few days MSN connection?
I very would like help, because my Maverick system only with my testing
system and Lucid the normal work system.
My wife using Lucid she's machine too.

Attila

CiaranG (ciarang) wrote :

Still does it for me, with Maverick, after updating to the version in proposed:

 ciaran@timble:~$ apt-show-versions pidgin
 pidgin/maverick-proposed uptodate 1:2.7.3-1ubuntu3.2

After the update, I closed pidgin and restarted it. The MSN connection still has the same error re the invalid certificate chain for omega.contacts.msn.com

Attila Hammer (hammera) wrote :

I see some time same result under Lucid, but I manual updated the
Microsoft_Internet_Authority_2010.pem and
Microsoft_Secure_Server_Authority_2010.pem certificate files with
/usr/share/purple/ca-certs directory.
I updated certificates with yesterday.
For example, when I trying first connecting MSN with Pidgin when I first
booting afternoon my wife Lucid system, first Pidgin doesn't connecting,
if I exiting Pidgin and 10 second later launch again Pidgin, Pidgin
right connecting with MSN.
So, sometime pidgin connecting right MSN and some time not.
The internet connection is all time awailable.

Attila

Chow Loong Jin (hyperair) wrote :

On Monday 22,November,2010 10:59 PM, CiaranG wrote:
> Still does it for me, with Maverick, after updating to the version in
> proposed:
>
> ciaran@timble:~$ apt-show-versions pidgin
> pidgin/maverick-proposed uptodate 1:2.7.3-1ubuntu3.2
>
> After the update, I closed pidgin and restarted it. The MSN connection
> still has the same error re the invalid certificate chain for
> omega.contacts.msn.com
>

Could you try opening Tools->Certificates and removing the
omega.contacts.msn.com certificate, then trying to connect again?

--
Kind regards,
Loong Jin

Chow Loong Jin (hyperair) wrote :

On Tuesday 23,November,2010 12:01 AM, Attila Hammer wrote:
> I see some time same result under Lucid, but I manual updated the
> Microsoft_Internet_Authority_2010.pem and
> Microsoft_Secure_Server_Authority_2010.pem certificate files with
> /usr/share/purple/ca-certs directory.
> I updated certificates with yesterday.
> For example, when I trying first connecting MSN with Pidgin when I first
> booting afternoon my wife Lucid system, first Pidgin doesn't connecting,
> if I exiting Pidgin and 10 second later launch again Pidgin, Pidgin
> right connecting with MSN.
> So, sometime pidgin connecting right MSN and some time not.
> The internet connection is all time awailable.

You need to leave the Microsoft_Internet_Authority.pem and
Microsoft_Secure_Server_Authority.pem certificates in
/usr/share/purple/ca-certs, and add the new ones (the ones that end with
_2010.pem) as well.

--
Kind regards,
Loong Jin

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.7.3-1ubuntu3.2

---------------
pidgin (1:2.7.3-1ubuntu3.2) maverick-proposed; urgency=low

  [ Chow Loong Jin ]
  * debian/patches/workaround-msn-ssl-failure.patch: Workaround SSL
    connectivity issues with MSN (LP: #676972)

  [ Felix Geyer ]
  * debian/patches/62_icq_server_changes.patch: Adapt to ICQ server changes.
  * debian/patches/63_icq_server_migration.patch: Migrate existing accounts to
    the new login server names. (LP: #675903)
 -- Felix Geyer <email address hidden> Sat, 20 Nov 2010 13:37:00 +0100

Changed in pidgin (Ubuntu Maverick):
status: Fix Committed → Fix Released
Attila Hammer (hammera) wrote :

What the difference between first Maverick proposed committed
debian/patches/workaround-msn-ssl-failure.patch and now released fix?
Or nothing changed the patch and released only the fix?

Attila

Roel Huybrechts (rulus) wrote :

Please find the attached debdiff for Lucid. Built and tested locally here on current Lucid and seems to work as expected.

It's been a long time since I made a debdiff, so I'm not sure about the policies. Specifically the version numbering and the requirement of an @ubuntu.com address. Please use and adjust as you please.

Attila Hammer (hammera) wrote :

I applied your debdiff with actual awailable Pidgin source with my Lucid
system.
The build is happened right.
When I would like testing the new patched version, enough to install
pidgin deb package?

Attila

CiaranG (ciarang) wrote :

Just to confirm, re comment 20, installing the update from Maverick proposed AND then removing the
omega.contacts.msn.com certificate via Tools->Certificates seems to have resolved the problem.

Attila Hammer (hammera) wrote :

Confirmed too under Lucid.
I installed local the modifyed Pidgin packages with my Lucid system, the
installation doesn't producing any error. After I removed
omega.contacts.msn.com with tools/certificates dialog, restart Pidgin,
close the error message and reconnect, Pidgin wonderful connected.
After this I tryed, I doed a restart and tried connecting Pidgin with 10
connection with full start and exit. All connection is succesful.
So, now working right Pidgin my system, I hope not happening again this
certification error with few days later. :-):-)

Possible uploading Roel doed patch under Lucid or Lucid-proposed? I
don't no what the correct order with this type update.

Attila

How I fixed it:

Open this file with a text editor:

/home/YourUserName/.purple/certificates/x509/tls_peers/omega.contacts.msn.com

Replace contents with:

-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgIKfdrgSQAIAAHIuTANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTAxMTE1
MjEyODE5WhcNMTIxMTE0MjEyODE5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMC
V0ExEDAOBgNVBAcTB1JlZG1vbmQxDDAKBgNVBAoTA01TTjEdMBsGA1UECxMUTVNO
IENvbnRhY3QgU2VydmljZXMxGzAZBgNVBAMMEiouY29udGFjdHMubXNuLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJnXhdENETaZ8YFfenWCuky3
Fke/oWgUOEbgvaRuZusd2LnvoSiqH++2lkV0JJlIQ+7jLLN8MY7VhlHQmkLC3x44
KZn2IktMVgTBGMKnvbyYVAnRsjt/rVhQrQeHVEQzv5WXx//3FKmXWAuJiuRj9PZ2
KsNqPJgaaa5cuOu4oynO9fH5/ZtJIeUf7bC4Wu++o7jTu5zOhIa7R1buE9FXFF33
vQ1vHi4p9zR2Pi/i2nUpEnzeNCLl/8F/Tf+658SvIC4EzxrYcj+fit6sAnNUfsOE
1SIk9YLD+tS0fln1afbcDvH0ib5Xm7u2/o6ZmxQU0mrAkfQectsKpZLJj03neBsC
AwEAAaOCAvAwggLsMAsGA1UdDwQEAwIEsDBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqG
SIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRciAVJ/Vsj
sAlZoNG/Zs+rILsPNDAfBgNVHSMEGDAWgBQIQuPbThFm87UIxUDbVXwzRhGDODCC
AQoGA1UdHwSCAQEwgf4wgfuggfiggfWGWGh0dHA6Ly9tc2NybC5taWNyb3NvZnQu
Y29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUy
MEF1dGhvcml0eSg4KS5jcmyGVmh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kv
bXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3Jp
dHkoOCkuY3JshkFodHRwOi8vY29ycHBraS9jcmwvTWljcm9zb2Z0JTIwU2VjdXJl
JTIwU2VydmVyJTIwQXV0aG9yaXR5KDgpLmNybDCBvwYIKwYBBQUHAQEEgbIwga8w
XgYIKwYBBQUHMAKGUmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3Jw
L01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg4KS5jcnQw
TQYIKwYBBQUHMAKGQWh0dHA6Ly9jb3JwcGtpL2FpYS9NaWNyb3NvZnQlMjBTZWN1
cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoOCkuY3J0MD8GCSsGAQQBgjcVBwQyMDAG
KCsGAQQBgjcVCIPPiU2t8gKFoZ8MgvrKfYHh+3SBT4PC7YUIjqnShWMCAWQCAQow
JwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG
9w0BAQUFAAOCAQEAbbWUY/5r/Tv/kefqNUT5aGVejrkbG4229gnJLcv+uQTEg0Gg
xfvLr77N1z2j57FameJwz6DeTRbK8MYVPoP+z5o4vM3F3GxLm7aBklYQ/7G0TIp/
13z01a5aBGvZH8umzex3YrAnhJEcucSN5WaT6r9uwT7imdbsCgfFPdiIgS5iHdcl
k/3QSpau+4/XZgh/8V/FMN9KEFYGvEhMb5EVzKJ8pqF9Jy9Mfzqev3BtSREiljCt
lJuiRamxWgQoeNVTAI+J2YAsD8Qon1iZiHl08uHdgXWZiGDtLPcd9aIiL7/vi/+D
7w3bhyHPFr+/13BCIWSfKnSRj/g6YoHnhF4gyQ==
-----END CERTIFICATE-----

tags: added: verification-done
removed: verification-needed
tags: removed: apport-bug i386 ubuntu-une
komputes (komputes) wrote :

Confirmed in Lucid. Please allow Lucid users to benefit from this fix through updates.

Chow Loong Jin (hyperair) wrote :

On Wednesday 24,November,2010 12:00 AM, komputes wrote:
> Confirmed in Lucid. Please allow Lucid users to benefit from this fix
> through updates.
>
  affects ubuntu/lucid/pidgin
  status triaged

There's a debdiff attached in one of the earlier comments for Lucid.

--
Kind regards,
Loong Jin

Christian Reis (kiko) wrote :

Ciaran's comment above suggests the bug is indeed not fixed with the update; bits of advice over the internet suggest moving to use msn-pecan instead of the standard MSN implementation provided with purple, which seems to work for me.

Ross Ashley (brashley46) wrote :

Just downloaded and applied update through regular repository. Still working. Now downloading kernel updates etc. in turn, will see if it "just works" after reboot.

Ross Ashley (brashley46) wrote :

Works. Thanks all.

Changed in pidgin:
status: New → Fix Released
Attila Hammer (hammera) wrote :

Now the bugreport status changed with new to fix released:
Status in Pidgin: Fix Released
Status in “pidgin” package in Ubuntu: Triaged
Now only Maverick released the fix? I think Natty branch prewious
uploaded the fix.
The fix will be awailable later with Lucid?

Attila

Roel Huybrechts (rulus) wrote :

As I understand just adding the new certificates doesn't fully fix the problem. I'll try to provide an updated debdiff for Lucid later tonight.

Roel Huybrechts (rulus) wrote :

Attached is an updated debdiff for Lucid. This includes the upstream 2.7.7 fixes for GnuTLS and NSS. Built and tested locally on current Lucid and seems to work fine.

André Pirard (a.pirard) wrote :

I'm surprised that this bug blocking MSN chat doesn't have top but only medium importance. It could turn many people away from Ubuntu.
I'm surprised not to find a pidgin update already in Ubuntu's depot for the general user. All it takes is repackaging with two added certificates in /usr/share/purple/ca-certs/
As it is my opinion that general users should find, without reading all this, a clear howto to solve their problem, I have updated the description. I have tested that procedure carefully.

description: updated
André Pirard (a.pirard) on 2010-11-25
description: updated
Changed in pidgin (Ubuntu Lucid):
status: New → Triaged
Chris Coulson (chrisccoulson) wrote :

Ok, I've sponsored the lucid upload now

Accepted pidgin into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pidgin (Ubuntu Lucid):
status: Triaged → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Martin Pitt (pitti) wrote :

Already fixed in natty, but bug wasn't autoclosed for some reason:

pidgin (1:2.7.5-1ubuntu3) natty; urgency=low

  * debian/patches/13_sounds_and_timers.patch: Squash debian-changes-*
    patch onto this one, was presumably split up by accident
  * debian/patches/workaround-msn-ssl-failure.patch: Workaround SSL
    connectivity issues with MSN (LP: #676972)

 -- Chow Loong Jin <email address hidden> Fri, 19 Nov 2010 20:49:42 +0800

Changed in pidgin (Ubuntu):
status: Triaged → Fix Released
Roel Huybrechts (rulus) wrote :

I installed the Lucid-proposed update on a different machine and can confirm it indeed fixes the issue.

Martin Pitt (pitti) on 2010-11-26
tags: added: verification-done
removed: verification-needed

 On 2010-11-25 21:21, Martin Pitt wrote :
> Accepted pidgin into lucid-proposed, the package will build now and be
> available in a few hours. Please test and give feedback here. See
> https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
> enable and use -proposed. Thank you in advance!
Glad to not just make a test every other year, like for my other reports.
Thanks to everybody working on this !!!

This test did *not* work for me at first and it wasn't until I hacked
the DEB that I found why.
The certificates are not in pidgin but in libpurple0.
But pidgin...4.2 does not depend on libpurple0...4.2 which is, of
course, *required*.
So, my click on pidgin was a do-nothing.
After sighs, sweat and thoughts, everything was superb.

But hence, my conclusions are:
- that many users don't follow -proposed but are eagerly watching their
-updates for the word pidgin.
- that those lucky enough to notice the wagon on the other track and
jump on it may well fall over it.
Even if the wagon were painted in purple for a hint ;-)

It may even be argued that a Certificate update is a security update.

For the sake of Ubuntu.

Cheers.

Chow Loong Jin (hyperair) wrote :

On Saturday 27,November,2010 04:57 AM, André Pirard wrote:
> On 2010-11-25 21:21, Martin Pitt wrote :
>> Accepted pidgin into lucid-proposed, the package will build now and be
>> available in a few hours. Please test and give feedback here. See
>> https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
>> enable and use -proposed. Thank you in advance!
> Glad to not just make a test every other year, like for my other reports.
> Thanks to everybody working on this !!!
>
> This test did *not* work for me at first and it wasn't until I hacked
> the DEB that I found why.
> The certificates are not in pidgin but in libpurple0.
> But pidgin...4.2 does not depend on libpurple0...4.2 which is, of
> course, *required*.
> So, my click on pidgin was a do-nothing.
> After sighs, sweat and thoughts, everything was superb.
>
> But hence, my conclusions are:
> - that many users don't follow -proposed but are eagerly watching their
> -updates for the word pidgin.
> - that those lucky enough to notice the wagon on the other track and
> jump on it may well fall over it.
> Even if the wagon were painted in purple for a hint ;-)
>
> It may even be argued that a Certificate update is a security update.
>
> For the sake of Ubuntu.

Updates are pushed to -proposed first for testing to make sure that they
actually work. After the packages in -proposed have been verified to work using
the test case, the bug is marked "verification-done" and the package is copied
to -updates. Otherwise it's just deleted from -proposed.

Perhaps what's needed is to make the instructions in the wiki page more verbose
to mention that all the binary packages from the source package (apt-cache
showsrc $pkg | grep Binary) need to be updated together before running the test
case.

--
Kind regards,
Loong Jin

Christian Reis (kiko) wrote :

There's something wrong here; I'm wondering if I'm just the only one that has noticed.

If you look at what Roel Huybrechts provided as a lucid debdiff, it includes a number of changes to libpurple (for instance the inclusion of x509_ca_get_certs() and a callsite for it ) that simply aren't present in the patch that Chow Jin provided. Now I've just pulled the source for the pidgin package from maverick-updates and the only difference listed there is the certificates. AIUI just the certificates does /not/ solve the issue -- as a few people here have pointed out it still requires removing the omega.contacts.msn.com certificates manually. If this holds true (and I can reproduce it here) I consider this to be a pretty poor fix for Maverick users in general.

Chow Loong Jin (hyperair) wrote :

On Saturday 27,November,2010 10:16 AM, Christian Reis wrote:
> There's something wrong here; I'm wondering if I'm just the only one
> that has noticed.
>
> If you look at what Roel Huybrechts provided as a lucid debdiff, it
> includes a number of changes to libpurple (for instance the inclusion of
> x509_ca_get_certs() and a callsite for it ) that simply aren't present
> in the patch that Chow Jin provided. Now I've just pulled the source for
> the pidgin package from maverick-updates and the only difference listed
> there is the certificates. AIUI just the certificates does /not/ solve
> the issue -- as a few people here have pointed out it still requires
> removing the omega.contacts.msn.com certificates manually. If this holds
> true (and I can reproduce it here) I consider this to be a pretty poor
> fix for Maverick users in general.

Hmm, yes you're right. I'm not sure where that extra bit came from though. My
understanding of the matter was that those who had manually exchanged their
omega.contacts.msn.com certificates would have to remove them before it would
work again, whereas those who hadn't would have the fix working perfectly
without any extra changes needed.

--
Kind regards,
Loong Jin

André Pirard (a.pirard) wrote :
Download full text (3.7 KiB)

 On 2010-11-27 03:34, Chow Loong Jin wrote :
> On Saturday 27,November,2010 10:16 AM, Christian Reis wrote:
>> There's something wrong here; I'm wondering if I'm just the only one
>> that has noticed.
>>
>> If you look at what Roel Huybrechts provided as a lucid debdiff, it
>> includes a number of changes to libpurple (for instance the inclusion of
>> x509_ca_get_certs() and a callsite for it ) that simply aren't present
>> in the patch that Chow Jin provided. Now I've just pulled the source for
>> the pidgin package from maverick-updates and the only difference listed
>> there is the certificates. AIUI just the certificates does /not/ solve
>> the issue -- as a few people here have pointed out it still requires
>> removing the certificates manually. If this holds
>> true (and I can reproduce it here) I consider this to be a pretty poor
>> fix for Maverick users in general.
> Hmm, yes you're right. I'm not sure where that extra bit came from though. My
> understanding of the matter was that those who had manually exchanged their
> omega.contacts.msn.com certificates would have to remove them before it would
> work again, whereas those who hadn't would have the fix working perfectly
> without any extra changes needed.

From the many many tests I made with the present Pidgin code, I came
under the impression that the omega.contacts.msn.com in user space is
just a cache. If it matches the certificate to check, the job's done. If
it doesn't Pidgin is prepared for a cache update. But it could no do it
because of the missing intermediate certificates story. That's why two
certificates were added.
Presently, Pidgin must probably alternate between receiving the old and
new certificates and it must do the check by using both the old and new
files.
In practice,
- without the added certificates, Pidgin must wait until whichever
certificate it cached appears again
- with the added certificates, it always succeeds updating, I must have
overcome that a 100 times
As all that is only smart guessing the inside of the black box, I
thought that the best idea is to watch the cache updating. So, I made
10 connections, I saved omega... each time and here's the result :
$ dir *.pem
1723222 -rw------- 1 p p 2303 2010-11-27 08:20 01.pem
1723229 -rw------- 1 p p 2303 2010-11-27 08:21 02.pem
1723230 -rw------- 1 p p 2339 2010-11-27 08:21 03.pem
1723231 -rw------- 1 p p 2339 2010-11-27 08:21 04.pem
1723232 -rw------- 1 p p 2303 2010-11-27 08:22 05.pem
1723233 -rw------- 1 p p 2303 2010-11-27 08:22 06.pem
1723235 -rw------- 1 p p 2339 2010-11-27 08:23 07.pem
1723246 -rw------- 1 p p 2339 2010-11-27 08:23 08.pem
1723247 -rw------- 1 p p 2339 2010-11-27 08:24 09.pem

Just by watching the sizes of the files, it's obvious that Pidgin is
constantly updating its cache itself.
So, there is no need for the user to erase it.
I think there's no use to try to prove that each size corresponds to
either of old or new certificate.
But I can send them to any disbeliever ;-)
Or just two, as I just checked that same size files are the same.

So, I think that the practical effectiveness of the update has been
proven enough in several ways and that, 10 days after the problem
appeared, i...

Read more...

Roel Huybrechts (rulus) wrote :

@ Christian Reis: In my second debdiff (the one that's in -proposed atm) I incorporated the additional upstream fixes they released as 2.7.7. These were only committed upstream after the maverick and natty updates were released, so are indeed not in the maverick update. Thus maverick might need another update to fully fix the problem there.

Rolf Leggewie (r0lf) wrote :

I can verify that the lucid-proposed packages fix the issue without any further manual intervention from the user.

Thanks, guys.

Martin Pitt (pitti) wrote :

Since the current version breaks MSN completely, and demonstrably works for a lot of people, I'll push the lucid update out as well now. Please upload a followup update if the omega.contacts.m.c. changes need to be in an SRU after all.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.6.6-1ubuntu4.2

---------------
pidgin (1:2.6.6-1ubuntu4.2) lucid-proposed; urgency=low

  * debian/patches/workaround-msn-ssl-failure.patch: Workaround SSL
      connectivity issues with MSN (LP: #676972)
 -- Roel Huybrechts <email address hidden> Wed, 24 Nov 2010 18:58:18 +0100

Changed in pidgin (Ubuntu Lucid):
status: Fix Committed → Fix Released
Rolf Leggewie (r0lf) wrote :

Martin, thank you for pushing this update. My understanding is that the lucid fix is more up-to-date and advanced than what is currently in maverick. It may be that maverick needs a follow-up update, but I don't run maverick so cannot comment on it. But this is what I gathered from what Christian was saying.

André Pirard (a.pirard) wrote :

Thanks for the work that's been done for all those MSN lovers.
I find strange to read the last comment. The update consists of adding 2 certificates to libpurple0, and that holds and must work very well for all distributions.
I find strange that Karmic isn't spoken of.
I find strange to read that pidgin has to be updated. The package to update is libpurple0 and updating pidgin will not update libpurple0 because of the dependency error I pointed out.
I find strange that the Solution has not been updated in the bug Description to reflect the update.

Chow Loong Jin (hyperair) wrote :

On Monday 29,November,2010 10:44 PM, Rolf Leggewie wrote:
> Martin, thank you for pushing this update. My understanding is that the
> lucid fix is more up-to-date and advanced than what is currently in
> maverick. It may be that maverick needs a follow-up update, but I don't
> run maverick so cannot comment on it. But this is what I gathered from
> what Christian was saying.

The extra portions of the patch are not really necessary, as Ubuntu's build of
Pidgin uses NSS instead of GnuTLS. For NSS builds, adding the extra certificate
works around the issue already.

The people who have needed to remove omega.contacts.msn.com are the ones who
used the workaround posted on omgubuntu in the first place, and replaced their
omega.contacts.msn.com certificates manually.

Hence, the Maverick fix is sufficient. I myself have not noticed any SSL
certificate issue since the fix was released.

--
Kind regards,
Loong Jin

Chow Loong Jin (hyperair) wrote :

On Thursday 02,December,2010 02:43 AM, André Pirard wrote:
> Thanks for the work that's been done for all those MSN lovers.
You're welcome.

> I find strange to read the last comment. The update consists of adding 2
> certificates to libpurple0, and that holds and must work very well for all
> distributions.
That's fine, it was a misunderstanding due to some people having implemented a
workaround to the issue that caused trouble with the updates. They just need to
revert their workaround and the update should do its job properly.

> I find strange that Karmic isn't spoken of. I find strange to read that
> pidgin has to be updated. The package to update is libpurple0 and updating
> pidgin will not update libpurple0 because of the dependency error I pointed
> out.
Nothing strange about that, just that some of us only have time available for
one release. I did Maverick, someone else did Lucid, and well, someone will have
to do Karmic, but nobody has gotten around to it yet.

As for the dependency issue, now that everything has been copied over
to-updates, it should get updated automatically if you had not disabled updates
on your Lucid/Maverick system.

> I find strange that the Solution has not been updated in the bug Description
> to reflect the update.
If you find this strange, rather than posting that you find it strange, how
about updating the bug description?

--
Kind regards,
Loong Jin

tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.