Re: SSL Certificate
On 24/10/2022 16:23, Sarah O. wrote: We had a pop stating that our SSL Certificate had expired. How do we go about fixing that? This will be the certificate on the server, not anything that is under pidgin's control. Pidgin is an, open source, messaging client that can work with many types of server, including some public services, so there is no simple answer to your question. Also certificates have to be signed by a trusted third party (e.g. Verisign, or LetsEncrypt, or even your own corporate one). Details of the procedure will also depend on which is being used. (If you are FurnaceFilterKing, the trusted third party for your public web site is DigiCert Inc. However, your internal server might be using the old branding and might have a different certifier.) We need to add another account for an employee, how do we do that? Please Reply all when replying back to this email. Again, this is something that needs to be done on the server, not on pidgin. Once you have created the account, you can then configure the new employee's pidgin to access it. Also note that there is no formal support organisation for Pidgin. This mailing list is answered by users. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
SSL Certificate
Good morning, We had a pop stating that our SSL Certificate had expired. How do we go about fixing that? We need to add another account for an employee, how do we do that? Please Reply all when replying back to this email. Thank you. Sarah O. Sales Support Specialist GTA 416.FILTERS (345.8377) Toll-Free 1.866.998.9909 https://envirofilters.com DISCLAIMER: This email and its attachments may be confidential and are intended only for the individual or entity to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. if you are not the intended recipient of this e-mail and its attachments, you must take no action based upon them, nor copy this email. Please contact the sender by email if you believe you have received this email in error. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: ssl connection fail
On 3/15/22 22:17, Jack Sidebottom wrote: Lost contact during storms 3/14. Recovered about 22:00 CDT. continued functioning until 3/15 @17:38 CDT This all looks like pretty standard stuff for a a service interruption regardless of how it started. Debug window contents from log-in attempt: (22:13:33) *proxy:* Connecting to lightwitch.org:5222. (22:13:33) *proxy:* Error connecting to lightwitch.org:5222 (Connection timed out.). This is usually caused by an internet connection not being fully ready. (22:13:35) *proxy:* Connecting to meaveen.lightwitch.org:443. (22:13:35) *proxy:* Error connecting to meaveen.lightwitch.org:443 (Connection refused.). (22:13:35) *proxy:* Connection attempt failed: Connection refused. The remote server was not accepting connections. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: SSL Connection failed
Hi again, Looking at the logs it's showing that you're being blocked from the server (11:31:41) proxy: Error connecting to lightwitch.org:5222 (Connection timed out.). I can access their server ok from here. You might have tripped some kind of anti spam protection or something like that. You'll need to get in contact with the lightwitch.org server admins and see if they're blocking your ip? Cheers, Eion On Sun, 13 Jun 2021, 04:39 Jack Sidebottom, wrote: > Attached latest debug after having done warm boot and cold boot. I have no > idea how/where to find any info re: SSL or NSS/TLS errors other than this > debug report. If you can tell me how to find those errors I will try. > On 6/12/2021 03:55, Eion Robb wrote: > > Hi Jack, > > You might get more info out of the Help->Debug Window as you reconnect. > (Although, when I try to connect to the lightwitch.org xmpp server from > here, I'm getting a certificate for aria-net.org instead of lightwitch.org > so not sure what's going on there.) > > If you're able to attach any SSL or NSS/TLS errors then we can have a look > and try work out next steps (might be something that can be resolved by > configuring the Tools->Plugins->NSS Preferences plugin) > > Cheers, > Eion > > On Sat, 12 Jun 2021 at 12:15, Jack Sidebottom wrote: > >> Have attached debug log so you can see exactly what is happening. >> >> Win 7, 5 gig cable internet connection (on-line for several days now). >> Closed screensaver and found Pidgin disconnected with >> "eiskr...@lightwitch.org/home disconnected" and notice of new 2.14.5 >> version. Installed new version, tried to start Pidgin, get "SSL >> Connection failed" >> >> What do I do now? Everything else is fully functional. >> >> >> >> -- >> This email has been checked for viruses by Avast antivirus software. >> https://www.avast.com/antivirus >> ___ >> Support@pidgin.im mailing list >> Want to unsubscribe? Use this link: >> https://lists.pidgin.im/listinfo/support > > > > <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient_term=icon> > Virus-free. > www.avast.com > <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient_term=link> > <#m_2656176607256133675_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: SSL Connection failed
Hi Jack, You might get more info out of the Help->Debug Window as you reconnect. (Although, when I try to connect to the lightwitch.org xmpp server from here, I'm getting a certificate for aria-net.org instead of lightwitch.org so not sure what's going on there.) If you're able to attach any SSL or NSS/TLS errors then we can have a look and try work out next steps (might be something that can be resolved by configuring the Tools->Plugins->NSS Preferences plugin) Cheers, Eion On Sat, 12 Jun 2021 at 12:15, Jack Sidebottom wrote: > Have attached debug log so you can see exactly what is happening. > > Win 7, 5 gig cable internet connection (on-line for several days now). > Closed screensaver and found Pidgin disconnected with > "eiskr...@lightwitch.org/home disconnected" and notice of new 2.14.5 > version. Installed new version, tried to start Pidgin, get "SSL > Connection failed" > > What do I do now? Everything else is fully functional. > > > > -- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://lists.pidgin.im/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
SSL Connection failed
Have attached debug log so you can see exactly what is happening. Win 7, 5 gig cable internet connection (on-line for several days now). Closed screensaver and found Pidgin disconnected with "eiskr...@lightwitch.org/home disconnected" and notice of new 2.14.5 version. Installed new version, tried to start Pidgin, get "SSL Connection failed" What do I do now? Everything else is fully functional. -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: Hangouts ssl error
On 10/29/20 3:19 PM, Wade Smart wrote: > Wouldnt that depend on the service you are using? > -- Registered Linux User: #480675 Registered Linux Machine: #408606 > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers > wrote: >> Has anyone else started getting; XMPP, which was the default when I set it up. using void linux, if that matters -- Rodney D. Myers - wg4usa They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Hangouts ssl error
Has anyone else started getting; SSL handshake failure? -- Rodney D. Myers - wg4usa They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: Hangouts ssl error
Hi Rodney, Glad to hear that worked for you :) Unfortunately it wasn't picked up by Mozilla until it was already released, as they added in a 'compat mode' flag into Firefox that masked the problem for them, but broke every other app that uses NSS. If you're interested, you can read a bit more about the bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 Cheers, Eion On Fri, 30 Oct 2020 at 10:42, Rodney D. Myers wrote: > That worked, once I found the plugin and enabled it > > Thank you > > On 10/29/20 5:35 PM, Eion Robb wrote: > > There was a bug introduced in the most recent version of libnss that > > prevents it talking to most servers with SSL. It's fixed in an > > unreleased version of nss > > > > As a workaround (assuming this is the problem you're getting) you can > > limit the max version of TLS in the Tools->Plugins->NSS Preferences > > config screen to TLS 1.2 > > > > Hopefully that helps resolve the issue, but if not please let us know > > and we can start down the path of getting more debug details > > > > Cheers, > > Eion > > > > On Fri, 30 Oct 2020, 09:09 Rodney D. Myers, > <mailto:rodneymyer...@yahoo.com>> wrote: > > > > On 10/29/20 3:19 PM, Wade Smart wrote: > > > Wouldnt that depend on the service you are using? > > > -- Registered Linux User: #480675 Registered Linux Machine: #408606 > > > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. > Myers > > > mailto:rodneymyer...@yahoo.com>> wrote: > > >> Has anyone else started getting; > > > > XMPP, which was the default when I set it up. > > > > using void linux, if that matters > > > > -- > > Rodney D. Myers mailto:wg4...@arrl.net>> - wg4usa > > > > They that can give up essential liberty to obtain a > > little temporary safety deserve neither liberty nor safety. > > Ben Franklin - 1759 > > > > ___ > > Support@pidgin.im <mailto:Support@pidgin.im> mailing list > > Want to unsubscribe? Use this link: > > https://lists.pidgin.im/listinfo/support > > > > > -- > Rodney D. Myers - wg4usa > > They that can give up essential liberty to obtain a > little temporary safety deserve neither liberty nor safety. > Ben Franklin - 1759 > > ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: Hangouts ssl error
There was a bug introduced in the most recent version of libnss that prevents it talking to most servers with SSL. It's fixed in an unreleased version of nss As a workaround (assuming this is the problem you're getting) you can limit the max version of TLS in the Tools->Plugins->NSS Preferences config screen to TLS 1.2 Hopefully that helps resolve the issue, but if not please let us know and we can start down the path of getting more debug details Cheers, Eion On Fri, 30 Oct 2020, 09:09 Rodney D. Myers, wrote: > On 10/29/20 3:19 PM, Wade Smart wrote: > > Wouldnt that depend on the service you are using? > > -- Registered Linux User: #480675 Registered Linux Machine: #408606 > > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers > > wrote: > >> Has anyone else started getting; > > XMPP, which was the default when I set it up. > > using void linux, if that matters > > -- > Rodney D. Myers - wg4usa > > They that can give up essential liberty to obtain a > little temporary safety deserve neither liberty nor safety. > Ben Franklin - 1759 > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://lists.pidgin.im/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: Hangouts ssl error
Wouldnt that depend on the service you are using? -- Registered Linux User: #480675 Registered Linux Machine: #408606 Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers wrote: > > Has anyone else started getting; > > > SSL handshake failure? > > -- > Rodney D. Myers - wg4usa > > They that can give up essential liberty to obtain a > little temporary safety deserve neither liberty nor safety. > Ben Franklin - 1759 > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://lists.pidgin.im/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://lists.pidgin.im/listinfo/support
Re: Urgent - SSL Connection Failed
Hi Deepshikha, Oracle users need to contact their Tech Support people. We as Pidgin developers can't do anything about your server. Regards, Eion On Mon, 18 Mar 2019 at 18:08, Deepshikha Goel wrote: > Hi All > > I need urgent help in pidgin, not able to connect. > > getting error : SSL Connection Failed > > Thanks > Deepshikha > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Urgent - SSL Connection Failed
Hi All I need urgent help in pidgin, not able to connect. getting error : SSL Connection Failed Thanks Deepshikha ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Urgent :: SSL Connection Failed
Hi All Need urgent help, not able to connect pidgin. Getting error: SSL Connection Failed Thanks Deepshikha ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Problem with ssl handshake
On Mon, 4 Jun 2018 12:12:28 +0100 (BST) Dimitar Slavov wrote: > Hello, > > I was using pidgin for a long time in an office environment but ever since > I've updated one of the office PCs to fedora 28 Pidgin started having the > error SSL Handshake Failed. I have another PC that is still using fedora 27 > and I am not getting that error there. The configuration is exactly the same > as i am using FreeIPA and it is set up to distribute the home directory of > the users along all the office PCs. Can you please suggest a solution? > Hi, please see https://developer.pidgin.im/wiki/TipsForBugReports ; also - which protocol/service? > Kind Regards > Dimitar Slavov > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support -- - Shlomi Fish http://www.shlomifish.org/ Apple Inc. is Evil - http://www.shlomifish.org/open-source/anti/apple/ I come to bury Caesar, not to praise him. — https://en.wikiquote.org/wiki/Julius_Caesar_%28play%29 Please reply to list if it's a mailing list post - http://shlom.in/reply . ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Problem with ssl handshake
Hello, I was using pidgin for a long time in an office environment but ever since I've updated one of the office PCs to fedora 28 Pidgin started having the error SSL Handshake Failed. I have another PC that is still using fedora 27 and I am not getting that error there. The configuration is exactly the same as i am using FreeIPA and it is set up to distribute the home directory of the users along all the office PCs. Can you please suggest a solution? Kind Regards Dimitar Slavov ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
REG:pidgin SSL certificate expired issue
Hi, I have found one new issue.When i restart openfire in server,Pidgin webconsole starting new setup again and password is not working. -- Regards Nallamuthu M System Admin eGrove Systems Corporation Ph.No:7845436411 Email:muth...@egrovesystems.com website:www.egrovesys.com Disclaimer: // Please reply with remove in the subject line, if you don't want to receive email of this nature in future and we apologize for the inconvenience caused.// /// This email including any attachments is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary and/or copyrighted information. Unauthorized use or disclosure or distribution is strictly prohibited. Please contact the sender if you received this email in error and delete this email/// ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: REG:pidgin SSL certificate expired issue
Hi Nallamuthu, Can you send a screenshot of what you mean? Could be a few different certificates you might be talking about. Cheers, Eion On 20 February 2018 at 23:02, muth...@egrovesystems.com < muth...@egrovesystems.com> wrote: > Hi Team, > We have issue on pidgin SSL certificate expired,It is showing ssl > certificate expired and check your date and time.Kindly help us > > > -- > Regards > Nallamuthu M > System Admin > eGrove Systems Corporation > Ph.No:7845436411 > Email:muth...@egrovesystems.com > website:www.egrovesys.com > > > Disclaimer: > // Please reply with remove in the subject line, if you don't want to > receive email of this nature in future and we apologize for the > inconvenience caused.// /// This email including any attachments is for the > sole use of the intended recipient(s) and may contain confidential and/or > proprietary and/or copyrighted information. Unauthorized use or disclosure > or distribution is strictly prohibited. Please contact the sender if you > received this email in error and delete this email/// > > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
REG:pidgin SSL certificate expired issue
Hi Team, We have issue on pidgin SSL certificate expired,It is showing ssl certificate expired and check your date and time.Kindly help us -- Regards Nallamuthu M System Admin eGrove Systems Corporation Ph.No:7845436411 Email:muth...@egrovesystems.com website:www.egrovesys.com Disclaimer: // Please reply with remove in the subject line, if you don't want to receive email of this nature in future and we apologize for the inconvenience caused.// /// This email including any attachments is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary and/or copyrighted information. Unauthorized use or disclosure or distribution is strictly prohibited. Please contact the sender if you received this email in error and delete this email/// ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: how to change account info and connect through TLS/SSL
Hi there, The advanced tab is how you change connection settings, yes. The "Require Encryption" option is indeed SSL/TLS, and the account will disconnect if it can't negotiate a secure SSL/TLS connection with the server. Cheers, Eion On 26 December 2017 at 14:56, jerry <jerr...@disroot.org> wrote: > in accounts > manage accounts > selecting account and modify > advanced tab > > in connection security it's on "require encryption" > > is that the same as TLS/SSL or something secure or something like this? > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
how to change account info and connect through TLS/SSL
in accounts > manage accounts > selecting account and modify > advanced tab in connection security it's on "require encryption" is that the same as TLS/SSL or something secure or something like this? ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Getting crashes in ssl-nss.dll
Very sporadic, but twice today (while chatting on XMPP) Windows Version 6.2 Build 9200 C:\Program Files (x86)\Pidgin\pidgin.exe caused an Access Violation at location 5bc321d2 in module C:\Program Files (x86)\Pidgin\plugins\ssl-nss.dll Reading from location 0004. Registers: eax= ebx= ecx=0001 edx=027f9d48 esi= edi=5c3e2b04 eip=5bc321d2 esp=0061ece0 ebp=0061edd8 iopl=0 nv up ei pl zr na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 Call stack: 5BC321D2 C:\Program Files (x86)\Pidgin\plugins\ssl-nss.dll C:\Program Files (x86)\Pidgin\pidgin.dll [2.12.0.0] 5C4AFA48 C:\Program Files (x86)\Pidgin\pidgin.dll pidgin_docklet_uninit C:\Program Files (x86)\Pidgin\Gtk\bin\libglib-2.0-0.dll [2.28.8.0] 685EB90D C:\Program Files (x86)\Pidgin\Gtk\bin\libglib-2.0-0.dll g_main_context_dispatch 685EBD9D C:\Program Files (x86)\Pidgin\Gtk\bin\libglib-2.0-0.dll g_main_loop_run C:\Program Files (x86)\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll [2.16.6.0] 61854260 C:\Program Files (x86)\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll gtk_main ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL certificate error - Unable to validate certificate
I have reinstalled pidgin and it has seemed to stop. Thank you and I will let you know if it continues. THX On 5/23/2017 3:31 PM, David Woolley wrote: On 23/05/17 23:12, Frank Bratman wrote: Can you please help me. I have used this app for years and now a problem. I have accepted it many times. It looks to me as though you have failed to keep your root certificates up to date (quite possibly an OS level thing) and gmail has started using newer one. Using View Certificate may give a better clue. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL certificate error - Unable to validate certificate
On 23/05/17 23:12, Frank Bratman wrote: Can you please help me. I have used this app for years and now a problem. I have accepted it many times. It looks to me as though you have failed to keep your root certificates up to date (quite possibly an OS level thing) and gmail has started using newer one. Using View Certificate may give a better clue. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL certificate error - Unable to validate certificate
Hi Frank, What version of Pidgin are you using? On what operating system? Cheers, Eion On 24 May 2017 at 10:12, Frank Bratmanwrote: > Can you please help me. I have used this app for years and now a problem. > I have accepted it many times. > > Frank > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support > ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
SSL certificate error - Unable to validate certificate
Can you please help me. I have used this app for years and now a problem. I have accepted it many times. Frank ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL connection failed message
Hi Anne, Just wanted to check, are you the same person that messaged in IRC as well as leaving a support ticket in trac? https://developer.pidgin.im/ticket/17126#comment:1 Cheers, Eion On 30 November 2016 at 13:07, Anne Hutchinsonwrote: > Hello, > > Can anyone help me with this issue? I have tried everything I could thank > of. > > > Thanks. > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support > ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
SSL connection failed message
Hello, Can anyone help me with this issue? I have tried everything I could thank of. Thanks. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: How to get pidgin working on a server with no SSL cert
Hi Dan, I've just tried to connect to that XMPP server and I get a 'verify certificate' popup once, for the self-signed certificate running on it. Once you accept the certificate you shouldn't be bothered by it again, and it'll show up in Tools->Certificates. A website certificate can be different to an XMPP certificate, so trying to extract the cert from the website won't get you far. You can also point your server admin at services such as "Lets Encrypt" or "Start Encrypt" which offer free, automated certificate systems. Cheers, Eion On 26 June 2016 at 03:11, dan bowser <bowsercomma...@gmail.com> wrote: > Hello, > > I'm trying to get Pidgin to work with a jabber server run by mordus > angels, it's an eve online group. After I tried a few solutions offered by > google, which involved manually retrieving the SSL cert via Firefox or > console command, I spoke with the server admin and confirmed that the host, > http://mordusangels.net/, doesn't have an SSL certificate. Since he was > pretty firm about being too lazy to get an SSL certificate I'd like to know > if there's a way to just ignore the certification all together? > > Regards, > Dan > > ___ > Support@pidgin.im mailing list > Want to unsubscribe? Use this link: > https://pidgin.im/cgi-bin/mailman/listinfo/support > ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
How to get pidgin working on a server with no SSL cert
Hello, I'm trying to get Pidgin to work with a jabber server run by mordus angels, it's an eve online group. After I tried a few solutions offered by google, which involved manually retrieving the SSL cert via Firefox or console command, I spoke with the server admin and confirmed that the host, http://mordusangels.net/, doesn't have an SSL certificate. Since he was pretty firm about being too lazy to get an SSL certificate I'd like to know if there's a way to just ignore the certification all together? Regards, Dan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin: SSL Handshake Failed
On Wed, Jul 22, 2015 at 05:27:13PM +, Daniel Maher wrote: I've recently downloaded Tails 1.4.1, and whenever I try to connect to the Tails chat 'c3...@irc.oftc.net' I get the message SSL Handshake Failed, or ERROR: Closing Link (No more connections permitted from your host). I would really appreciate any help at all. This has been happening to me, too. I suspect that OFTC was getting flooding or DDoS attacks through Tor and had to block or throttle the number of Tor connections allowed. It's been that way for at least a few weeks. I haven't bothered to look into it, but I bet you can find some disgruntled people on the Tor mailing lists. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin: SSL Handshake Failed
I started getting that same error on some of my linux desktops a few days ago. I tracked it down to a mozilla-nss update that seems to have broken pidgin SSL connections to OpenFire XMPP server. We're using pidgin-2.10.10 but recompiling 2.10.11 from source still has the problem. Forcing pidgin to use gnutls library instead is a workaround. - Original Message - From: Daniel Maher daniel.gwyn.ma...@gmail.com To: support@pidgin.im Sent: Wednesday, July 22, 2015 1:27:13 PM Subject: Pidgin: SSL Handshake Failed Hi, I've recently downloaded Tails 1.4.1, and whenever I try to connect to the Tails chat ' c3...@irc.oftc.net ' I get the message SSL Handshake Failed, or ERROR: Closing Link (No more connections permitted from your host). I would really appreciate any help at all. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Pidgin: SSL Handshake Failed
Hi, I've recently downloaded Tails 1.4.1, and whenever I try to connect to the Tails chat 'c3...@irc.oftc.net' I get the message SSL Handshake Failed, or ERROR: Closing Link (No more connections permitted from your host). I would really appreciate any help at all. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
getting SSL handshake failed
hi, trying to login with google talk, getting a SSL handshake failed error. how do i fix that? thank you. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Error
Hi Gentlemen, Just checking to see what else I should try doing. On Monday, November 17, 2014 8:23 AM, Pablo Diaz pa...@yahoo.com wrote: Hi Mark, I did have this setting enabled and tried toggling it but no luck. Sent from my Verizon Wireless 4G LTE smartphone Hi Mark, I did have this setting enabled and tried toggling it but no luck. Sent from my Verizon Wireless 4G LTE smartphone brbrdiv Original message /divdivFrom: Mark Doliner m...@kingant.net /divdivDate:11/16/2014 3:26 PM (GMT-08:00) /divdivTo: Wade Smart wadesm...@gmail.com /divdivCc: Pablo Diaz pa...@yahoo.com,support@pidgin.im /divdivSubject: Re: SSL Error /divdivbr/div On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote: Change your setting to, use encryption if available Note that this could allow a man-in-the-middle to eavesdrop on anything you send and receive using the account. Where man-in-the-middle could be the operator of whatever local network you're using (coffee shop wifi, etc), your ISP, the government, etc. On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote: Change your setting to, use encryption if available Note that this could allow a man-in-the-middle to eavesdrop on anything you send and receive using the account. Where man-in-the-middle could be the operator of whatever local network you're using (coffee shop wifi, etc), your ISP, the government, etc.___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Error
On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote: Change your setting to, use encryption if available Note that this could allow a man-in-the-middle to eavesdrop on anything you send and receive using the account. Where man-in-the-middle could be the operator of whatever local network you're using (coffee shop wifi, etc), your ISP, the government, etc. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Error
Change your setting to, use encryption if available and your port should still be 5222. -- Registered Linux User: #480675 Registered Linux Machine: #408606 Linux since June 2005 On Mon, Nov 10, 2014 at 11:02 AM, Pablo Diaz pa...@yahoo.com wrote: I keep having an issue trying to connect to my FB account. I've tried all possible from what I have found in forums but it doesn't seem to work. I have the SSL error. Not sure what else to do. If there is anything else I can try I would really appreciate it. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
RE: SSL Certificate Error
Hi Ethan, I'm not sure it did. This is a Dell from work. I had it working on my prior computer, but it does not seem to work on this one. My company does have a firewall, though I'm confused why I could access AIM on my older machine. Please let me know what you recommend? My friend suggested the following, but I can't seem to access that link and I don't know the destination path on my computer. Please advise: People experiencing the AIM certificate problem can save this file to Pidgin's ca-certs directory: https://hg.pidgin.im/pidgin/main/raw-file/4e027bce3693/share/ca-certs/Entrust.net_2048.pem For me that's /usr/share/purple/ca-certs/ -Original Message- From: Ethan Blanton [mailto:e...@pidgin.im] Sent: Friday, February 14, 2014 4:04 PM To: Tomas Sidenfaden Cc: Mark Doliner; support@pidgin.im Subject: Re: SSL Certificate Error Tomas Sidenfaden spake unto us the following wisdom: Thanks for getting back to me. The first error is Server closed the connection quickly followed by Received Invalid data on connection with server. I am trying to log into my AOL messenger account through Pidgin. Does that help? Yeah, it does. That's not an SSL certificate error. You probably have a firewall between you and the AIM servers that's causing a problem. Has it ever worked on this computer? If so, what changed when it stopped working? Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Certificate Error
Tomas Sidenfaden spake unto us the following wisdom: I'm not sure it did. This is a Dell from work. I had it working on my prior computer, but it does not seem to work on this one. My company does have a firewall, though I'm confused why I could access AIM on my I don't know. I don't know how to check from Windows, either. Someone else might. My friend suggested the following, but I can't seem to access that link and I don't know the destination path on my computer. Please advise: This isn't the certificate problem, so that won't help. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
SSL Certificate Error
Hi. I updated to 2.10.9 but I am still getting the SSL certificate error. What can I do? Tomás Sidenfaden Product Manager Guitar Center, Inc. Phone: (818) 735-8800 x2033 Cell: (323) 363-4633 Fax: (818) 735-8883 tsidenfa...@guitarcenter.com ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Certificate Error
On Fri, Feb 14, 2014 at 11:00 AM, Tomas Sidenfaden tsidenfa...@guitarcenter.com wrote: I updated to 2.10.9 but I am still getting the SSL certificate error. What can I do? Hi Tomas. Can you please be more specific? What protocol account is triggering the error? What does the error say, exactly? ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
RE: SSL Certificate Error
Hi Mark! Thanks for getting back to me. The first error is Server closed the connection quickly followed by Received Invalid data on connection with server. I am trying to log into my AOL messenger account through Pidgin. Does that help? -Original Message- From: Mark Doliner [mailto:m...@kingant.net] Sent: Friday, February 14, 2014 12:43 PM To: Tomas Sidenfaden Cc: support@pidgin.im Subject: Re: SSL Certificate Error On Fri, Feb 14, 2014 at 11:00 AM, Tomas Sidenfaden tsidenfa...@guitarcenter.com wrote: I updated to 2.10.9 but I am still getting the SSL certificate error. What can I do? Hi Tomas. Can you please be more specific? What protocol account is triggering the error? What does the error say, exactly? ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Certificate Error
Tomas Sidenfaden spake unto us the following wisdom: Thanks for getting back to me. The first error is Server closed the connection quickly followed by Received Invalid data on connection with server. I am trying to log into my AOL messenger account through Pidgin. Does that help? Yeah, it does. That's not an SSL certificate error. You probably have a firewall between you and the AIM servers that's causing a problem. Has it ever worked on this computer? If so, what changed when it stopped working? Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: https://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
On 14/10/13 22:39, Ethan Blanton wrote: Oh, OTR. This is a problem for the OTR plugin. We started I'm afraid I failed to spot that this was on OTR one, rather than a corporate lock down one. (They often have rather conflicting aims.**) * Secure all communications, untrusted local storage * Secure all communications, trusted local storage I'm afraid you will need better descriptions. My first thought was that the average user wouldn't make the connection between trusted local storage and logs. On further thought, if you don't actually trust local storage, you can't trust the certificates, or the program code. My pushback on this is that the complexity of implementation is pretty high, and I don't really think the benefit is that large. I wouldn't implement it, but if somebody handed it to me and it was good, I would probably take it. Of course, being open source, the OP can always fork their own version of the code, remembering to change the branding and the embedded support address. ** E.g. corporate IT departments usually want to ensure that conversations are logged but in a way that doesn't allow the employee to manipulate them. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
On Tue, 15 Oct 2013 10:34:11 +0100 Ralf Skyper Kaiser wrote: 1. OTR: encrypt messages by default (private messaging). - Out of scope. Can only be fixed within the OTR plugin (developers disappeared). I don't think the OTR developers have disappeared, only that they haven't been on this list. They're on the cypherpunks list, or at least they were roughly 10 days ago. -- Brian Morrison ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
David, can you clarify this quote from you please: That goes against the general philosophy of open source clients. The user should be assumed to be responsible. Are you saying that users who use open source clients are assumed to be responsible? (and because of that pidgin should have a lousy SSL security implementation - because the user knows what he is doing)? regards, skyper On Sun, Sep 22, 2013 at 11:39 PM, David Woolley for...@david-woolley.me.ukwrote: On 22/09/13 21:26, skyper wrote: 1. Which ROOT CA storage does pidgin use to authenticate a server side SSL certificate? See ./configure --help. At a quick scan, it looks like it uses its own set of root certificates by default. The default will depend on the OS, at least to some extent. On Debian, it looks like the default is /usr/share/purple/ca-certs. If you didn't compile it yourself, the choices made by the packager may differ from the build system defaults. 2. How can I configure pidgin to use one (and just one; exclusive) ROOT CA storage (or single certificate) and ignore all other system-wide root certs without having to recompile the source? On that reading. If it has been compiled to use its own certificates, delete the other certificates. Again, on the above reading, this will be a global change for all libpurple clients. If it has been compiled to use a system directory, your caveat cannot be met. 3. How can I harden pidgin to fail connecting to the jabber server if SSL trust can not be established? I do not want to see any warning that the SSL cert can not be authenticated or the user being asked if he trusts the certificate manually. That goes against the general philosophy of open source clients, that the user should be assumed to be responsible. My guess is that this not only requires recompiling, but also requires source code changes. Please note I'm not an expert on this. I'm just going on a very quick scan of the configure script, and the general design philosophy of open source client software. __**_ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/**mailman/listinfo/supporthttp://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
Ralf Skyper Kaiser spake unto us the following wisdom: can you clarify this quote from you please: That goes against the general philosophy of open source clients. The user should be assumed to be responsible. Are you saying that users who use open source clients are assumed to be responsible? (and because of that pidgin should have a lousy SSL security implementation - because the user knows what he is doing)? Note that David is not a Pidgin developer, and this opinion is his own. It is either a common attitude for Open Source software or a common misconception regarding open source software, depending on your perspective. I view it as the latter. There's no philosophy of open source that says it has to suck in case the user wants it to. That said, in this particular instance, we do not have a straightforward option for accomplishing what you're asking for, and I doubt we will soon provide one. It is unfortunately quite common for users to *need* to accept certificates with untrusted chains, mismatched domains, expired signatures, etc. We do not currently provide an option for default disposition (either to confirm or reject) of such a situation, we require the user to handle it manually. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
HI Ethan, thanks for your comments. I've summarized some SSL/TLS Security concerns: https://thc.org/ssl and also created a video for those who are non-technical: http://youtu.be/F3BMA3IuvYs I made a list of features under section 6.4 that would make pidgin secure. In summary: For Jitsi/Pidgin/Jabber this would mean: 1. Do not allow non-private chats 2. Do not allow clear-text (non-SSL) connections 3. Accept self-signed certificates but once accepted/stored do not allow certificate to change (even if new certificate is a Verisign signed certificate). 4. Feature to select CAfile storage location 5. Force client to disable logging 6. Inform server that user is using lockdown (so that server can reject all clients which do not). 7. Once lockdown option is enabled the user should not be able to change any of the above options until lockdown is disabled again (e.g. gray out the option). Disconnect when lockdown option changes and reconnect to all servers. The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a different (and exclusive) CA location. It is not a big change and would open up Pigdin to a much larger user base. regards, Ralf On Mon, Oct 14, 2013 at 3:47 PM, Ethan Blanton e...@pidgin.im wrote: Ralf Skyper Kaiser spake unto us the following wisdom: can you clarify this quote from you please: That goes against the general philosophy of open source clients. The user should be assumed to be responsible. Are you saying that users who use open source clients are assumed to be responsible? (and because of that pidgin should have a lousy SSL security implementation - because the user knows what he is doing)? Note that David is not a Pidgin developer, and this opinion is his own. It is either a common attitude for Open Source software or a common misconception regarding open source software, depending on your perspective. I view it as the latter. There's no philosophy of open source that says it has to suck in case the user wants it to. That said, in this particular instance, we do not have a straightforward option for accomplishing what you're asking for, and I doubt we will soon provide one. It is unfortunately quite common for users to *need* to accept certificates with untrusted chains, mismatched domains, expired signatures, etc. We do not currently provide an option for default disposition (either to confirm or reject) of such a situation, we require the user to handle it manually. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
On 14/10/13 15:39, Ralf Skyper Kaiser wrote: can you clarify this quote from you please: That goes against the general philosophy of open source clients. The user should be assumed to be responsible. Are you saying that users who use open source clients are assumed to be responsible? (and because of that pidgin should have a lousy SSL security implementation - because the user knows what he is doing)? Enforcing local management policy tends to be a low priority in open source software. In the case of certificates, as long as the user is told that there is a problem with the certificate, it is generally assumed that any choice to ignore the warning is an informed decision. Freedom tends to include the freedom to ignore warnings. Windows, although far from open source, tends to take a similar position by default, but does provide features like group policies to allow a management lock down. Windows SSL security implementation is also lousy, in your terms, because: - most people who use it think that an https URL is all that is needed for security and have no understanding of the need for authentication; - it enables all sorts of weird CAs with low authentication thresholds, along with the class 3 certificates - any one of which will let you in without a warning. Incidentally, I don't know any easy way of giving standard Windows applications selective access to root certificates, without giving all applications the same restriction. As a specific example of an area where Pidgin doesn't comply with management lock down wants is that every few months people ask how to disable all but one service, to which the standard answer, is you can disable protocols by removing the plugins, but the end user can just re-install them, so the correct solution is block at the firewall. Of course, many people asking for this would want Facebook and Google blocked, but are using private XMPP servers, so share a common protocol. As Ethan says, I'm not a Pidgin developer (my programming work with open source is in a different area), but I don't notice much support for management lock downs anywhere in Pidgin. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a different (and exclusive) CA location. As noted in my original reply, that already exists if you build from source - the decision is a compile time one. If you use a package, the packager will generally select the option that makes the software easiest to use and maintain out of the box, which means that, if the OS supports a compatible certificate store mechanism, the packager will select that, so that it will work out of the box, and certificates will get updated as part of the OS update process. If there isn't such a mechanism, it will install Pidgin's standard set of certificates in a directory private to libpurple, so that the user doesn't have to hunt down certificates before they use it. At least from a quick glance, you can tell it to use a system certificate store, when you build it, but point that at a directory that you populate with certificates, rather than the standard OS certificate store. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
Ralf Skyper Kaiser spake unto us the following wisdom: I made a list of features under section 6.4 that would make pidgin secure. In summary: So ... we already implement a large portion of this list, either explicitly or implicitly. To wit: For Jitsi/Pidgin/Jabber this would mean: 1. Do not allow non-private chats I don't know what this means. 2. Do not allow clear-text (non-SSL) connections This is already available, as a per-account option. A global option could be added, but that is not substantially more user-friendly or secure in any practical sense. 3. Accept self-signed certificates but once accepted/stored do not allow certificate to change (even if new certificate is a Verisign signed certificate). This is not something we currently support, but I generally think it's a good idea across the board. I doubt we will implement it any time soon, but I am pretty sure we would accept a well-written patch that notified of certificate changes. 4. Feature to select CAfile storage location This is already provided, as a compile-time option. 5. Force client to disable logging This is not an option, but can easily be achieved by marking ~/.purple/logs unwriteable by the user. 6. Inform server that user is using lockdown (so that server can reject all clients which do not). This is not useful, as a client can readily lie. 7. Once lockdown option is enabled the user should not be able to change any of the above options until lockdown is disabled again (e.g. gray out the option). Disconnect when lockdown option changes and reconnect to all servers. I don't see what this buys. We're unlikely to implement it. The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a different (and exclusive) CA location. Again, we already support this, so I guess our buck is already bangin'. It is not a big change and would open up Pigdin to a much larger user base. This is a disingenuous and misplaced statement. I assume you're trying to bribe egos. However, a) Pidgin is already used by many millions of users, b) the much larger user base is a small fraction of those millions consisting of (for example) certain financial companies, a small number of privacy-concerned tech-savvy individuals, etc., and c) we don't care how many people use Pidgin, anyway. If you can convince us something is a good idea, we'll either do it or accept a patch for it. If you can't, we don't care if the Pope, the Dalai Lama, and Captain Reynolds got together and asked for it. Ethan signature.asc Description: Digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
David Woolley spake unto us the following wisdom: Windows, although far from open source, tends to take a similar position by default, but does provide features like group policies to allow a management lock down. Windows SSL security implementation is also lousy, in your terms, because: Windows is not a good example of ... basically anything. As a specific example of an area where Pidgin doesn't comply with management lock down wants is that every few months people ask how to disable all but one service, to which the standard answer, is you can disable protocols by removing the plugins, but the end user can just re-install them, so the correct solution is block at the firewall. Of course, many people asking for this would want Facebook and Google blocked, but are using private XMPP servers, so share a common protocol. This is not an accurate characterization. We get people asking how to disable all but one service *using the project-provided Windows binaries*, and we state that there is no such way. A user can readily compile Pidgin without plugin loading and include a specific subset of protocol plugins at compile time and achieve just this. Just ... not some clueless Windows sysadmin. The point here, and the point for many such features, is that the burden of supporting the option is larger than the perceived benefit, from our point of view. In the case of locking down protocols, the primary concern I see is that, if you allow loadable plugins at all, it seems likely that the user can find some way to defeat whatever trivial machanism you put in place with a mediocum of effort. A nontrivial mechanism is a significant endeavor. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
On 14/10/13 17:33, Ralf Skyper Kaiser wrote: I agree, 1 of the 7 Security features is already possible with pidgin but requires source code recompilation. That's does not fly for most users (especially the windows users). As far as I know, the Windows build is unable to use the system certificate store, so already uses one private to libpurple, but pre-populates it. You could simply clear it out. It is only on modern Linux systems where it is likely to share a certificate store, and those are the ones where compiling from source is likely to be easiest. (A packager could, fairly easily, point the certificate store at a symlink, which defaults to the system store, in those cases.) It looks like Debian also uses a private directory for the certificates (/usr/share/purple/ca-certs/), and doesn't even install all that come with Pidgin. Pidgin should be secure by default or - if Pidgin insists that it has to be insecure by default - at least the possibility for the user to use it securely. Without having to recompile from source (and cross platform). You just have to look at the typical question on this list to realise that a secure by default Pidgin would be unusable to a large number of Pidgin users - if you cannot make a usable support request, you are unlikely to understand how to source and install certificates securely. There tends to be high support costs in making mass market software secure by default. (As I already noted, Windows seems to let almost every Tom, Dick or Harry to act as CAs by default, because starting with only class 3 certificates would cause too many support problems.) If anything, making it secure by default, if it doesn't scare off new users completely, is likely to result in lots of cook book solutions on how to get it to trust certificates without going through the proper processes to verify those certificates, thus teaching people bad security practices. If Windows set all but class 3 CAs to disabled by default, I suspect the standard internet cook book solution would be simply to go into the certificate manager and enable them, whenever you got blocked. Whist making the directory a run time parameter would, probably, be a small change, you would then have to lock down the configuration file. Having to explicitly add trusted certificates won't fly with most end users. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
Hi, So ... we already implement a large portion of this list, either explicitly or implicitly. To wit: For Jitsi/Pidgin/Jabber this would mean: 1. Do not allow non-private chats I don't know what this means. ...if OTR plugin is available then do not allow non-encrypted private messages. 4. Feature to select CAfile storage location This is already provided, as a compile-time option. This is not feasible to the average user. (point taken, developers know how to use pidgin securely. everyone else should go to hell?) 5. Force client to disable logging This is not an option, but can easily be achieved by marking ~/.purple/logs unwriteable by the user. Option should be available cross-platform and without OS specific hacks. 6. Inform server that user is using lockdown (so that server can reject all clients which do not). This is not useful, as a client can readily lie. This is not the point. The client can also circumvent your no-logging idea by putting up a camera and filming his screen. The point is that it takes reasonable effort and prevents _accidental_ client misconfiguration. 7. Once lockdown option is enabled the user should not be able to change any of the above options until lockdown is disabled again (e.g. gray out the option). Disconnect when lockdown option changes and reconnect to all servers. I don't see what this buys. We're unlikely to implement it. Prevents accidental misconfiguration by the user. A server rule could create a rule to only let clients connect that are in lockdown. This would ensure against these accidental misconfigurations: 1. User has logging disabled 2. User is authenticating against server supplied/server-trusted cert (and not one of the 600+ CA's out there) 3. User can not send unencrypted private messages etcetcetc. It prevents accidental client misconfiguration which form the majority of all security problems. This is a disingenuous and misplaced statement. I assume you're trying to bribe egos. However, a) Pidgin is already used by many millions of users, b) the much larger user base is a small fraction of those millions consisting of (for example) certain financial companies, a small number of privacy-concerned tech-savvy individuals, etc. I think there is a use case for such a feature. There is currently no easy to use and secure IM client on the market. History (last 2-3 years, and recent PRISM leaks) have shown that governments (and I'm not just talking about the US here) are intercepting SSL traffic on a massive scale (see the DigiNotar-Iran incident, The Blackberry-Etisalar incident, the PRISM case, ...etc etc etc). This has been made possible because of lax security implementation - not just in pidgin but across the board. Firefox and Chrome are now on the forefront for implementing stricter SSL security (including certificate pinning, HSTS and exclusive CA locations). David: Saying that this is not required reminds me of a discussion in the 80s when the car manufactures said that Airbags are not required (That cars have a break and that people should drive responsibly. Only a small ruthless-driving group of people would benefit.). regards, Ralf ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
On Mon, 14 Oct 2013 19:25:21 +0100 Ralf Skyper Kaiser wrote: 1. Do not allow non-private chats I don't know what this means. ...if OTR plugin is available then do not allow non-encrypted private messages. This can be set on a per-contact basis for those who use OTR. -- Brian Morrison ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
Brian, yes, correct. and It's a good feature to have. Yet we see users sending unencrypted messages even when they think they are using OTR with private message encryption (yes, users are sometimes stupid). An option that use encryption by default (which can be disabled by the user) provides better security at no cost to usability. So why not do it? regards, Ralf On Mon, Oct 14, 2013 at 7:54 PM, Brian Morrison b...@fenrir.org.uk wrote: On Mon, 14 Oct 2013 19:25:21 +0100 Ralf Skyper Kaiser wrote: 1. Do not allow non-private chats I don't know what this means. ...if OTR plugin is available then do not allow non-encrypted private messages. This can be set on a per-contact basis for those who use OTR. -- Brian Morrison ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL security concern
Ralf Skyper Kaiser spake unto us the following wisdom: 1. Do not allow non-private chats I don't know what this means. ...if OTR plugin is available then do not allow non-encrypted private messages. Oh, OTR. This is a problem for the OTR plugin. We started discussions wit the OTR people to bring it into Pidgin proper, but they disappeared and it has never happened. Until it does, it's not something we can do anything about. 4. Feature to select CAfile storage location This is already provided, as a compile-time option. This is not feasible to the average user. (point taken, developers know how to use pidgin securely. everyone else should go to hell?) That's not what I said. So ... you started with a list of demands with no justification, you apparently ignored or disregarded existing functionality, and as we attempt to refine the situation you resort to ego-bribery and reductio ad absurdum. It makes it hard to take you seriously. You may have some good points, but they're hard to find past the noise. So, if we assume charitably that your cat sat on the keyboard and made you look like a jerk, your response before that point probably said I would like a runtime option, because while I want the store to be exclusive and immutable, I want the store to be non-exclusive and mutable. At which point I say ... what are you trying to solve? Give me a use case and we can talk about options. I don't see any reason why putting certificates in the predefined store is inferior to changing the location of the store at runtime, and since you seem to be concerned about users accidentally changing options, I'd say the former is preferable to the latter. Justify. 5. Force client to disable logging This is not an option, but can easily be achieved by marking ~/.purple/logs unwriteable by the user. Option should be available cross-platform and without OS specific hacks. That's cross-platform and not OS-specific, you can even do the same thing on Windows ... assuming you're using Windows and still pretending to be concerned about security (?). I agree that it's inelegant. However, I don't really get what you're trying to accomplish, if a simple option to turn off logging is not sufficient, and you want an option to turn off the option that turns off logging. Justify. 6. Inform server that user is using lockdown (so that server can reject all clients which do not). This is not useful, as a client can readily lie. This is not the point. The client can also circumvent your no-logging idea by putting up a camera and filming his screen. The point is that it takes reasonable effort and prevents _accidental_ client misconfiguration. I ... still don't get this. 7. Once lockdown option is enabled the user should not be able to change any of the above options until lockdown is disabled again (e.g. gray out the option). Disconnect when lockdown option changes and reconnect to all servers. I don't see what this buys. We're unlikely to implement it. Prevents accidental misconfiguration by the user. A server rule could create a rule to only let clients connect that are in lockdown. This would ensure against these accidental misconfigurations: 1. User has logging disabled 2. User is authenticating against server supplied/server-trusted cert (and not one of the 600+ CA's out there) 3. User can not send unencrypted private messages etcetcetc. So maybe you're just saying something very confusing here. You don't want an option that locks down the preferences, you want an option that automatically sets a variety of security preferences to known good settings? Your initial description sounded like you wanted an option to disable further configuration tweaks, regardless of what the current configuration is. If your assertion is, instead, that there should be a secure everything global option, then I'd say this is a reasonable idea, but your specific implementation is not great. I'd be more inclined to have a dropdown box in a security tab with a couple of options. Maybe: * Secure all communications, untrusted local storage * Secure all communications, trusted local storage * Require encrypted server connections * Allow insecure connections * Custom settings The first locks down everything you've asked for, the second does the same but allows logging, the third enforces Use SSL/TLS Encryption for every connection but makes no other security-related demands, the fourth enforces Use SSL/TLS if available, and the final setting lets each preference do its own thing. My pushback on this is that the complexity of implementation is pretty high, and I don't really think the benefit is that large. I wouldn't implement it, but if somebody handed it to me and it was good, I would probably take it. This is a disingenuous and misplaced statement. I assume you're trying to bribe egos. However
Pidgin 2.10.7 Windows: yahoo / ssl error
Dear support team, Over the last 2 hours, I started having the following error on both computers in my house. I tried to reboot the computers and reinstall pidgin, though I have no luck and I get the same error. Any help would be greatly appreciated. (03:07:15) *connection:* Connecting. gc = 04CA35D0 (03:07:15) *util:* requesting to fetch a URL (03:07:15) *dnsquery:* Performing DNS lookup for vcs1.msg.yahoo.com (03:07:15) *dnsquery:* IP resolved for vcs1.msg.yahoo.com (03:07:15) *proxy:* Attempting connection to 66.196.120.43 (03:07:15) *proxy:* Connecting to vcs1.msg.yahoo.com:80 with no proxy (03:07:15) *proxy:* Connection in progress (03:07:15) *proxy:* Connecting to vcs1.msg.yahoo.com:80. (03:07:15) *proxy:* Connected to vcs1.msg.yahoo.com:80. (03:07:15) *util:* request constructed (03:07:16) *util:* Response headers: 'HTTP/1.1 200 OK Content-Length: 46 Content-Type: text/plain; charset=utf-8 Cache-Control: max-age=0, must-revalidate Expires: Sun, 10 Jun 2007 12:01:01 GMT ' (03:07:16) *util:* parsed 46 (03:07:16) *yahoo:* Got COLO Capacity: 1 (03:07:16) *yahoo:* Got CS IP address: 66.196.121.24 (03:07:16) *dnsquery:* Performing DNS lookup for 66.196.121.24 (03:07:16) *dnsquery:* IP resolved for 66.196.121.24 (03:07:16) *proxy:* Attempting connection to 66.196.121.24 (03:07:16) *proxy:* Connecting to 66.196.121.24:5050 with no proxy (03:07:16) *proxy:* Connection in progress (03:07:16) *proxy:* Connecting to 66.196.121.24:5050. (03:07:16) *proxy:* Connected to 66.196.121.24:5050. (03:07:16) *yahoo:* 80 bytes to read, rxlen is 100 (03:07:16) *yahoo:* Yahoo Service: 0x57 Status: 1 (03:07:16) *yahoo:* Authentication: In yahoo_auth16_stage1 (03:07:16) *util:* requesting to fetch a URL (03:07:16) *dnsquery:* Performing DNS lookup for login.yahoo.com (03:07:16) *dnsquery:* IP resolved for login.yahoo.com (03:07:16) *proxy:* Attempting connection to 188.125.82.242 (03:07:16) *proxy:* Connecting to login.yahoo.com:443 with no proxy (03:07:16) *proxy:* Connection in progress (03:07:16) *proxy:* Connecting to login.yahoo.com:443. (03:07:16) *proxy:* Connected to login.yahoo.com:443. (03:07:16) *nss:* subject=CN=login.yahoo.com,O=Yahoo! Inc.,L=Sunnyvale,ST=CA,C=US issuer=CN=DigiCert High Assurance CA-3,OU= www.digicert.com,O=DigiCert Inc,C=US (03:07:16) *nss:* subject=CN=DigiCert High Assurance CA-3,OU= www.digicert.com,O=DigiCert Inc,C=US issuer=CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US (03:07:16) *nss:* partial certificate chain (03:07:16) *certificate/x509/tls_cached:* Starting verify for login.yahoo.com (03:07:16) *certificate/x509/tls_cached:* Checking for cached cert... (03:07:16) *certificate/x509/tls_cached:* ...Found cached cert (03:07:16) *nss/x509:* Loading certificate from C:\Users\root\AppData\Roaming\.purple\certificates\x509\tls_peers\ login.yahoo.com (03:07:16) *certificate/x509/tls_cached:* Peer cert did NOT match cached (03:07:16) *certificate:* Checking signature chain for uid=CN= login.yahoo.com,O=Yahoo! Inc.,L=Sunnyvale,ST=CA,C=US (03:07:16) *certificate:* ...Good signature by CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US (03:07:16) *certificate:* Chain is VALID (03:07:16) *certificate/x509/tls_cached:* Checking for a CA with DN=CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US (03:07:16) *certificate/x509/tls_cached:* Also checking for a CA with DN=CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US (03:07:16) *certificate:* Failed to verify certificate for login.yahoo.com (03:07:16) *yahoo:* Authentication: In yahoo_auth16_stage1_cb (03:07:16) *yahoo:* Login Failed, unable to retrieve login url: Unable to connect to login.yahoo.com: SSL peer presented an invalid certificate (03:07:16) *connection:* Connection error on 04CA35D0 (reason: 0 description: Unable to connect to login.yahoo.com: SSL peer presented an invalid certificate) (03:07:16) *account:* Disconnecting account vlad_thoth (02581990) (03:07:16) *connection:* Disconnecting connection 04CA35D0 (03:07:16) *connection:* Destroying connection 04CA35D0 Cheers, Vlad ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
SSL security concern
Hi, 1. Which ROOT CA storage does pidgin use to authenticate a server side SSL certificate? 2. How can I configure pidgin to use one (and just one; exclusive) ROOT CA storage (or single certificate) and ignore all other system-wide root certs without having to recompile the source? 3. How can I harden pidgin to fail connecting to the jabber server if SSL trust can not be established? I do not want to see any warning that the SSL cert can not be authenticated or the user being asked if he trusts the certificate manually. thanks regards, skyper ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
tor/privacy (socks5) option giving ssl error
Hello, Pidgin 2.10.6 (libpurple 2.10.6) 4cfe697ea3ae39a4fb3dad8e3ed1c70855901095 I am trying to connect to Tor using Pidgin. I am having a connection issue. Of the three proxy options socks4, socks5, and tor/privacy(socks5), it seems I should be using tor/privacy(socks5). This issue has come up on some Tor lists. Can someone explain exactly what is the difference between Tor/Privacy Socks5, and just Socks5, and whether you believe Pidgin to preserve the anonymity? And also, my question as to why on my system, socks 5 works, but Tor/Privacy(Socks5) results in SSL connection error almost immediately (i.e. I don't think it is even making any network activity, it just immediately displays the SSL connect error. Setting Socks5 works fine. Thanks ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
On Tue, Apr 2, 2013 at 7:08 PM, Ileana ile...@fairieunderground.info wrote: Hello, Pidgin 2.10.6 (libpurple 2.10.6) 4cfe697ea3ae39a4fb3dad8e3ed1c70855901095 I am trying to connect to Tor using Pidgin. I am having a connection issue. Of the three proxy options socks4, socks5, and tor/privacy(socks5), it seems I should be using tor/privacy(socks5). This issue has come up on some Tor lists. Can someone explain exactly what is the difference between Tor/Privacy Socks5, and just Socks5, and whether you believe Pidgin to preserve the anonymity? The difference is that the Tor/Privacy proxy will disable various other pieces of functionality (e.g. DNS queries) instead of just proxying actual connections through a proxy. If you have pidgin configured appropriately (e.g. disabling UPnP, etc) we're not aware of any leakage of information to someone listening between you and the proxy endpoint. And also, my question as to why on my system, socks 5 works, but Tor/Privacy(Socks5) results in SSL connection error almost immediately (i.e. I don't think it is even making any network activity, it just immediately displays the SSL connect error. Setting Socks5 works fine. You didn't provide any context to the specific issue, but the likely reason for this particular error is that the Tor/Privacy Socks5 mode will prevent DNS queries from occurring and this probably has the effect of preventing you from determining the correct server to connect to (e.g. a DNS SRV lookup is necessary to connect to the appropriate XMPP server for a number of domains unless you specify a Connect Server manually). -D ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
You didn't provide any context to the specific issue, but the likely reason for this particular error is that the Tor/Privacy Socks5 mode will prevent DNS queries from occurring and this probably has the effect of preventing you from determining the correct server to connect to (e.g. a DNS SRV lookup is necessary to connect to the appropriate XMPP server for a number of domains unless you specify a Connect Server manually). Daniel, Sorry for the lack of context. I am using tor and pidgin Pidgin 2.10.6 (libpurple 2.10.6), on linux. I am connecting to a normal irc server. It works with socks 5, it doesn't work, and immediately fails, with tor/privacy socks5 with error ssl connection failed. When I try to connect to an IRC tor hidden service address (blahblahblah.onion) I get: Unable to connect: Aborting DNS lookup in Tor Proxy mode. When I try to connect to a regular IRC address/hostname, I get SSL Connection Failed. Both work when I select socks5. Neither works with tor/privacy(socks5). Are you suggesting I should be putting the ip addresses in directly for these hostnames? That isn't even possible in the case of the hidden service addresses. And the hidden service address seems to resolve and work fine with the socks5 setting. I don't see how this can't be some kind of bug? Aren't the dns requests supposed to go through the proxy? Do you need to add a check box (do dns lookup at proxy end), as appears in the main proxy config screen, for each individual setting? I am concerned some users may be using pidgin incorrectly. But you might be right that it is a dns problem, and it is attempting the lookup locally. In the case of the TAILS OS, all dns is transparently routed over the tor, so local dns gets resolved, and that would work. But for most privacy users, local dns queeries are a big no-no, yet they need to be done, and hence are done via socks 5 at proxy end. What is the workaround now? Use socks4 and make the changes? Is it sufficient to turn off unpp and disable uneccessary plugins, or is the tor/privacy setting doing stuff in the code that an end user can't set manually? I.E. If I just use socks5 and disable plugins, is that enough? Does it do anything versus cctp/ping/dcc etc? Thanks ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
From my basic understanding, a tor/privacy setting should ensure: *no local dns lookups (perhaps as an options checkbox) socks4 automatically does lookup at end...there is no option. socks5 you have option for local or remote dns in the spec. Most tor users want remote, except in the case of TAILS a user might handle the dns queeries locally(and then resolving them through for instance tor's dns port). I think the same side is to do them remotely. *real ip address never gets sent out *no other system information gets sent out(kernel version, uname, os, etc) *nothing that seems to be a unique identifier gets sent out upon connect/reconnect. (i.e. ssl session ids, user agents/version, etc). *timestamps all converted to utc *any functionality such as dcc where there is a direct connection to the other client should either be disabled or also insure real ip is not leaked. I can't think of anything else off the top of my head, but I may have missed something. If you are a developer and can point me to a link to the code that handles the proxy settings, I would take a further look. Thanks ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
On Tue, Apr 2, 2013 at 8:55 PM, Ileana ile...@fairieunderground.info wrote: You didn't provide any context to the specific issue, but the likely reason for this particular error is that the Tor/Privacy Socks5 mode will prevent DNS queries from occurring and this probably has the effect of preventing you from determining the correct server to connect to (e.g. a DNS SRV lookup is necessary to connect to the appropriate XMPP server for a number of domains unless you specify a Connect Server manually). Daniel, Sorry for the lack of context. I am using tor and pidgin Pidgin 2.10.6 (libpurple 2.10.6), on linux. I am connecting to a normal irc server. It works with socks 5, it doesn't work, and immediately fails, with tor/privacy socks5 with error ssl connection failed. When I try to connect to an IRC tor hidden service address (blahblahblah.onion) I get: Unable to connect: Aborting DNS lookup in Tor Proxy mode. When I try to connect to a regular IRC address/hostname, I get SSL Connection Failed. You'll need to provide more details - a sanitized debug log (Help-Debug Window) from when it tries to connect should help. Both work when I select socks5. Neither works with tor/privacy(socks5). Are you suggesting I should be putting the ip addresses in directly for these hostnames? That isn't even possible in the case of the hidden service addresses. And the hidden service address seems to resolve and work fine with the socks5 setting. No, that's not necessarily what I'm suggesting. I don't see how this can't be some kind of bug? Aren't the dns requests supposed to go through the proxy? Do you need to add a check box (do dns lookup at proxy end), as appears in the main proxy config screen, for each individual setting? Again, it's hard to say without more information. It's not possible to do all DNS requests through the proxy - you can pass a hostname to the proxy and have it resolve it, but e.g. a SRV request can't be done through a proxy. No, that checkbox is globally applied, it doesn't need to be more granularly applied. I am concerned some users may be using pidgin incorrectly. But you might be right that it is a dns problem, and it is attempting the lookup locally. In the case of the TAILS OS, all dns is transparently routed over the tor, so local dns gets resolved, and that would work. But for most privacy users, local dns queeries are a big no-no, yet they need to be done, and hence are done via socks 5 at proxy end. What is the workaround now? Use socks4 and make the changes? Is it sufficient to turn off unpp and disable uneccessary plugins, or is the tor/privacy setting doing stuff in the code that an end user can't set manually? I.E. If I just use socks5 and disable plugins, is that enough? Does it do anything versus cctp/ping/dcc etc? TAILS is pretty much irrelevant from the application perspective. I'm going to hold off answering the rest because we don't know what the problem is. -D ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
On Tue, Apr 2, 2013 at 9:11 PM, Ileana ile...@fairieunderground.info wrote: From my basic understanding, a tor/privacy setting should ensure: All of my answers below apply to stock Pidgin when you select Tor/Privacy in the proxy settings- any third party plugins could change the behavior. Some effort has been put into making XMPP safe from a privacy perspective; other protocols have issues - good patches are always welcome. *no local dns lookups (perhaps as an options checkbox) socks4 automatically does lookup at end...there is no option. socks5 you have option for local or remote dns in the spec. Most tor users want remote, except in the case of TAILS a user might handle the dns queeries locally(and then resolving them through for instance tor's dns port). I think the same side is to do them remotely. The libpurple DNS functionality will be blocked - anything that can be done through the proxy will be done, otherwise the functionality will fail (for things using the libpurple DNS API). It's possible that protocols like gadu-gadu or sametime, which use external libraries to implement the protoco,l would make DNS requests without using the libpurple API. It looks like Bonjour/Link-Local accounts will send stuff out on your local network, because that's how the protocol works. *real ip address never gets sent out This should be the case for XMPP. If libpurple/Pidgin is configured appropriately, it won't know what your external IP address is. *no other system information gets sent out(kernel version, uname, os, etc) Your IRC account default settings contain some information from your OS user account, but you're free to change them. See https://developer.pidgin.im/ticket/15295 There may be other issues for other protocols *nothing that seems to be a unique identifier gets sent out upon connect/reconnect. (i.e. ssl session ids, user agents/version, etc). Of course unique things will be sent out - you're connecting to a IM account and your account name will be sent out (and possibly your password too depending on what you're connecting to). *timestamps all converted to utc I'm not sure if there are places where your timezone or information that can be used to deduce your timezone are sent out, but I don't consider this sensitive. *any functionality such as dcc where there is a direct connection to the other client should either be disabled or also insure real ip is not leaked. This wouldn't be a reasonable assumption to make for protocols other than XMPP. I can't think of anything else off the top of my head, but I may have missed something. If you are a developer and can point me to a link to the code that handles the proxy settings, I would take a further look. libpurple/proxy.c ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
On Tue, 2 Apr 2013 21:46:20 -0400 Daniel Atallah datal...@pidgin.im wrote: Daniel, Sorry for the lack of context. I am using tor and pidgin Pidgin 2.10.6 (libpurple 2.10.6), on linux. I am connecting to a normal irc server. It works with socks 5, it doesn't work, and immediately fails, with tor/privacy socks5 with error ssl connection failed. When I try to connect to an IRC tor hidden service address (blahblahblah.onion) I get: Unable to connect: Aborting DNS lookup in Tor Proxy mode. When I try to connect to a regular IRC address/hostname, I get SSL Connection Failed. You'll need to provide more details - a sanitized debug log (Help-Debug Window) from when it tries to connect should help. (21:49:24) account: Connecting to account foo44...@irc.oftc.net. (21:49:24) connection: Connecting. gc = 0xb83c3868 (21:49:24) dnsquery: Performing DNS lookup for localhost (21:49:24) dnsquery: Aborting DNS lookup in Tor Proxy mode. (21:49:24) proxy: Connection attempt failed: Aborting DNS lookup in Tor Proxy mode. (21:49:24) connection: Connection error on 0xb83c3868 (reason: 0 description: SSL Connection Failed) (21:49:24) account: Disconnecting account foo44...@irc.oftc.net (0xb7c39428) (21:49:24) connection: Disconnecting connection 0xb83c3868 (21:49:24) connection: Destroying connection 0xb83c3868 (21:49:28) autorecon: do_signon called (21:49:28) autorecon: calling purple_account_connect I don't understand this...it says it is doing dns lookup for localhost? Ahh! I found it...I had localhost in the settings rather then 127.0.0.1. When I set it to 127.0.0.1 for the proxy host, it works. I see, it cuts off all local dns requests, including looking at the host file. I am not sure if this should be documented...most other applications (firefox, thunderbird, etc) have the option to do some names locally, in particular, localhost should usually work. This may be considered a minor bug? Again, it's hard to say without more information. It's not possible to do all DNS requests through the proxy - you can pass a hostname to the proxy and have it resolve it, but e.g. a SRV request can't be done through a proxy. No, that checkbox is globally applied, it doesn't need to be more granularly applied. Perhaps you are right. And I am mixed up in my statements. socks 4 you have the option local/remote dns. socks4a seems to automatically do remote, no option, but pidgin doesn't seem to do socks4a. And socks5 again the option, but it seems the common setting is to do remote lookup. I am concerned some users may be using pidgin incorrectly. But you might be right that it is a dns problem, and it is attempting the lookup locally. In the case of the TAILS OS, all dns is transparently routed over the tor, so local dns gets resolved, and that would work. But for most privacy users, local dns queeries are a big no-no, yet they need to be done, and hence are done via socks 5 at proxy end. What is the workaround now? Use socks4 and make the changes? Is it sufficient to turn off unpp and disable uneccessary plugins, or is the tor/privacy setting doing stuff in the code that an end user can't set manually? I.E. If I just use socks5 and disable plugins, is that enough? Does it do anything versus cctp/ping/dcc etc? TAILS is pretty much irrelevant from the application perspective. I'm going to hold off answering the rest because we don't know what the problem is. OK...I see what you are saying. I see how TAILS should be irrelevant from the application end...up into the point the application itself is sending out information that could deanoymize the client. TAILS really can't do anything about that, hence I like that pidgin is compartmentalizing the problem by having this privacy setting. I just think it should be documented exactly what it is doing. It seems your Tor/Privacy mode should keep the user, by any means possible, from doing un-intentional loss of private information at the application level. Thanks for helping me resolve this, and your obvious work on this app, which is really nice. I guess I will have to look at the code to see exactly what is the difference from the socks5/torprivacy setting? You mentioned, obviously, it blocking DNS, and we see that here. I am wanting a full list of differences. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: tor/privacy (socks5) option giving ssl error
On Tue, 2 Apr 2013 22:36:51 -0400 Daniel Atallah datal...@pidgin.im wrote: On Tue, Apr 2, 2013 at 9:11 PM, Ileana ile...@fairieunderground.info wrote: From my basic understanding, a tor/privacy setting should ensure: All of my answers below apply to stock Pidgin when you select Tor/Privacy in the proxy settings- any third party plugins could change the behavior. Some effort has been put into making XMPP safe from a privacy perspective; other protocols have issues - good patches are always welcome. Well thanks for the effort. *no local dns lookups (perhaps as an options checkbox) socks4 automatically does lookup at end...there is no option. socks5 you have option for local or remote dns in the spec. Most tor users want remote, except in the case of TAILS a user might handle the dns queeries locally(and then resolving them through for instance tor's dns port). I think the same side is to do them remotely. The libpurple DNS functionality will be blocked - anything that can be done through the proxy will be done, otherwise the functionality will fail (for things using the libpurple DNS API). It's possible that protocols like gadu-gadu or sametime, which use external libraries to implement the protoco,l would make DNS requests without using the libpurple API. It looks like Bonjour/Link-Local accounts will send stuff out on your local network, because that's how the protocol works. *real ip address never gets sent out This should be the case for XMPP. If libpurple/Pidgin is configured appropriately, it won't know what your external IP address is. *no other system information gets sent out(kernel version, uname, os, etc) Your IRC account default settings contain some information from your OS user account, but you're free to change them. See https://developer.pidgin.im/ticket/15295 There may be other issues for other protocols *nothing that seems to be a unique identifier gets sent out upon connect/reconnect. (i.e. ssl session ids, user agents/version, etc). Of course unique things will be sent out - you're connecting to a IM account and your account name will be sent out (and possibly your password too depending on what you're connecting to). Everyone disagrees about the User Agent issue and this has been a big pain in the butt across applications from browsers to torrent to chat. It seems XMPP/Pidgin does send out the timezone and pidgin version/libpurple version. Seems like minor non-senstive stuff but it does allow partitioning of the userspace. *timestamps all converted to utc I'm not sure if there are places where your timezone or information that can be used to deduce your timezone are sent out, but I don't consider this sensitive. *any functionality such as dcc where there is a direct connection to the other client should either be disabled or also insure real ip is not leaked. This wouldn't be a reasonable assumption to make for protocols other than XMPP. I can't think of anything else off the top of my head, but I may have missed something. If you are a developer and can point me to a link to the code that handles the proxy settings, I would take a further look. libpurple/proxy.c Thanks for the info. I will take a look at it. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Error requesting https://api.oscar.aol.com/aim/startOSCARSession: Unable to connect to api.oscar.aol.com: SSL Connection Failed
I downloaded the latest version of pigeon this morning and installed ona new laptop that has windows 7 OS. I get the following error when trying to connect: Error requesting https://api.oscar.aol.com/aim/startOSCARSession: Unable to connect to api.oscar.aol.com: SSL Connection Failed Your site says that if you get AOL SSL handshake message to install the latest version of pigeon, which I have just done. And searching your support site has not helped... I do not find any tickets for this issue. It is pretty important that I get some sort of IM client working soon since I work remote and this is a main avenue of communication with my group. I really hate using AIM... I have been using pigeon for the last 4 years on my old laptop which is running windows xp ,and like it a lot better. Thanks, Shelley ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL
On Sun, Sep 16, 2012 at 5:40 PM, england1...@tormail.org wrote: Is there a way to connect with SSL with ICQ in pidgin? In newer versions of Pidgin, edit the account, on the Advanced tab leave all settings set to the default values except change Connection security to Require encryption. In this case Pidgin will bail out upon login if it isn't able to establish an SSL/TLS connection for something. In older versions of Pidgin, if clientLogin is turned on then authentication will always happen over SSL/TLS. I don't remember the specifics about whether IM and buddy list traffic will be encrypted... I think it depends on the version of Pidgin you're using. Newer versions tend to request encryption for IM/buddy list when available, but I think they're still willing to connect even if the server doesn't allow an SSL/TLS connection. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
SSL
Hi, can you tell me if I use 443 port in the 'advanced' tab in 'edit account' that it will automatically make the connection through SSL? Thanks. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL
On Sun, Sep 16, 2012 at 12:46 PM, england1...@tormail.org wrote: Hi, can you tell me if I use 443 port in the 'advanced' tab in 'edit account' that it will automatically make the connection through SSL? Thanks. No, changing the port will not automatically make the connection use SSL. -D ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL
On Sun, Sep 16, 2012 at 5:40 PM, england1...@tormail.org wrote: On Sun, Sep 16, 2012 at 12:46 PM, england1...@tormail.org wrote: Hi, can you tell me if I use 443 port in the 'advanced' tab in 'edit account' that it will automatically make the connection through SSL? Thanks. No, changing the port will not automatically make the connection use SSL. -D Thanks. Is there a way to connect with SSL with ICQ in pidgin? Because I can not see an option to do it in 'edit account'. Thanks. Please reply to the mailing list and not to me directly. I don't know the answer to your question, but perhaps someone else does. -D ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
SSL confirguration
Hi, could you please tell me if I can in anyway configure SSL to work with pidgin. There doesn't seem to be an option for ICQ. Thanks in advance. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Error: SSL peer presented an invalid certificate | running on ARM-ubuntu-11.10
You could try to figure out why Pidgin thinks the certificate is invalid by running with pidgin -d to show lots of debug output (I'm a little surprised the error message you're seeing doesn't already say why it's invalid). The two most likely reasons I can think of are either the clock on your ARM computer is wrong, or Pidgin still can't find the CA certificates. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: XMPP - SSL Handshake Failed on 2.8.0
Christy Ankrom spake unto us the following wisdom: I cannot connect to XMPP on version 2.8.0 - giving me error SSL handshake failed. Searched support and cannot find documentation to help me out. Last tried and worked on 6/10/11. Please include the contents of a debug log (Help | Debug Window) from the connect. You may redact usernames and hostnames from the log if you like. This is sometimes caused by servers which do not correctly support SSL. It can also be caused by a server with a bad or broken certificate (although normally, in that case, you get an option to temporarily accept the bad certificate). Without a debug log, it is hard to say what is going on here. Ethan signature.asc Description: Digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Unable to connect to bos sever. ssl handshake failed
On Mon, Mar 28, 2011 at 8:40 AM, Felicia Marzan fmar...@nuskin.com wrote: Please advise how to fix this error listed in the subject line. This is sometimes just a temporary problem. Is this still happening? Have you been able to connect successfully in the past using Pidgin? --Mark ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Unable to connect to bos sever. ssl handshake failed
Please advise how to fix this error listed in the subject line. Thanks, Felicia Felicia Marzan HR Office Manager [nuskin_logo] Phone: (801)345-2500 Fax: (801)345-2591 fmar...@nuskin.com inline: image001.gif___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Unable to connect to bos sever. ssl handshake failed
Felicia Marzan wrote: Please advise how to fix this error listed in the subject line. This is an error associated with the AOL Oscar protocol and bos is actually BOS. Probably the AOL machine failed to convince you that it was genuine, quite possibly because a firewall was blocking the communication. You need to provide debug log information, although speaking with your IT department about their firewall might help. What happens when you use the official AOL client? What version of Pidgin and what OS type and version? http://code.google.com/p/joscar/wiki/OscarConnections explains BOS servers (Basic Online Services). This seems to deal with coordinating your session after you have logged in, routing requests to more appropriate servers. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
SSL Certificate Verification issues
Recently I started getting SSL Certificate Verification issues on AIM, with Pidgin. The following would come up: Accept certificate for bos.oscar.aol.com? The certificate for bos.oscar.aol.com could not be validated. The certificate has expired and should not be considered valid. Check that your computer's date and time are accurate. And it has buttons to view the certificate, or Reject or Accept it. No matter what happens, whether I click Accept or Reject, the next time I log in it comes up again. It's quite annoying and I'm not sure what to do. How am I supposed to be able to fix this? ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Certificate Verification issues
On Thu, 24 Feb 2011 04:07:39 -0500 Don Keeney donn...@hotmail.com wrote: And it has buttons to view the certificate, or Reject or Accept it. No matter what happens, whether I click Accept or Reject, the next time I log in it comes up again. It's quite annoying and I'm not sure what to do. How am I supposed to be able to fix this? Well it is AOL's job to do that, all that Pidgin is telling you is that the certificate has expired, it seems to be a new cert and they have managed to only make it valid for 2 days. -- Brian Morrison ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Pidgin 2.7.7 - ICQ SSL connection still fails
Hi all, the problem with ICQ SSL connection was not fully solved. Today morning I've made on my WXP(SP3) a completely new installation of Pidgin 2.7.7 (=everything what I've found from older istalls, was deleted before installation), but problem with ICQ persists, e.g. Jabber works fine. I'm sitting behind proxy/firewall so unsecured access is not solution for me. It's strange, that at home (on my desktop 2 laptops) with the same settings (slogin.icq.com/5190/encrypted connection if available/clientLogin) is Pidgin working without any troubles. Enclosed You'll find a debug log. I hope that it could help to find the solution. BTW Paralel connection with an ancient Miranda 0.6.8 is successfull. Regars Marek M. purple-debug.log Description: Binary data ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.7 - ICQ SSL connection still fails
On 11/24/2010 07:59 AM, s...@volny.cz wrote: Hi all, the problem with ICQ SSL connection was not fully solved. Today morning I've made on my WXP(SP3) a completely new installation of Pidgin 2.7.7 (=everything what I've found from older istalls, was deleted before installation), but problem with ICQ persists, e.g. Jabber works fine. I'm sitting behind proxy/firewall so unsecured access is not solution for me. Unfortunately, unsecured access is the only option. ICQ was recently split off from the AIM servers. Not all of the new ICQ servers support SSL. The only combinations of options that will work are: * clientLogin off and connection security set to Don't use encryption * clientLogin on and connection security set to Don't use encryption * clientLogin on and connection security set to Use encryption if available The combination of clientLogin and Use encryption if available is the default for new accounts and will work by using SSL where available and falling back to unsecured connections where necessary. We've been led to believe that eventually all the new ICQ servers will support SSL just as the AIM servers currently do. John signature.asc Description: OpenPGP digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
MSN SSL problems again
So what is it? Has microsoft decided to make a play for propritary tech or something? After having fixed the MSN SSL cert already - it froze up my pigin only too force me to restart, leading to a return of the now well loved omega ssl certificate error. I returned too the support wiki and re-downloaded the certificates in the hope that maybe they had been updated again. but still no success - is there more going on? Thanks TTT ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: MSN SSL problems again
On Wed, 24 Nov 2010 15:25:12 -0500 Zacknafain Do'Urden wildnz...@inexistentia.net wrote: but still no success - is there more going on? Which version are you running, 2.7.7 or something earlier? -- Brian Morrison I am not young enough to know everything Oscar Wilde ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: MSN SSL problems again
Zacknafain Do'Urden wrote: So what is it? Has microsoft decided to make a play for propritary tech or something? In this case, it is probably a case of being reckless about Pidgin, etc., but, if you actually read the terms of use you agree to when you sign up to the MSN service, you will find that you agree not to use Pidgin or any other client not in a short list of approved clients. Part of this will be for protection against misoperating clients, but a major factor will be protecting the business model on which the service is based. For example, a recent comment was that Pidgin avoided the adverts that you get with Live Messenger, but one of the reasons Microsoft will operate that service free of charge to end users will be the advertising revenue that they obtain. In this case, the change was probably made for valid security reasons, but it seems to have taken short cuts which rely on an updated client having information coded into it that the server would have to provide, in other cases, such as accessing https URLs. The Microsoft client will have this update done, but until they make the change, unofficial clients may have no reason to believe that the client has been prepared for such a change. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: MSN SSL problems again
On Wed, 2010-11-24 at 22:32 +, David Woolley wrote: Zacknafain Do'Urden wrote: So what is it? Has microsoft decided to make a play for propritary tech or something? In this case, it is probably a case of being reckless about Pidgin, etc., but, if you actually read the terms of use you agree to when you sign up to the MSN service, you will find that you agree not to use Pidgin or any other client not in a short list of approved clients. Please remember Hanlon's Razor: Never attribute to malice that which is adequately explained by stupidity. Part of this will be for protection against misoperating clients, but a major factor will be protecting the business model on which the service is based. For example, a recent comment was that Pidgin avoided the adverts that you get with Live Messenger, but one of the reasons Microsoft will operate that service free of charge to end users will be the advertising revenue that they obtain. Part of what? A recent comment where? Can you actually point to anything Microsoft have ever done that can be demonstrably proved to be done solely with the intention of blocking 3rd party clients? (I hate to sound defensive of Microsoft here, but FUD should not be allowed either way). In this case, the change was probably made for valid security reasons, but it seems to have taken short cuts which rely on an updated client having information coded into it that the server would have to provide, in other cases, such as accessing https URLs. The Microsoft client will have this update done, but until they make the change, unofficial clients may have no reason to believe that the client has been prepared for such a change. The change was made because their SSL certificate was expiring, so they renewed it, I guess that counts as valid security reasons. The reason they didn't detect (and so far don't seem too concerned about) the mis-configuration of the server(s) is that their primary client already recognizes the new intermediate certificates that signed the new SSL certificate as trusted anyway, so they don't have a problem with the fact that the server(s) are still providing the old intermediates in the chain. But the reason their primary client trusts the new certificate is simply because they ship update their primary OS with their own intermediate certificates too. Regards, Stu. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Pidgin MSN Non Functional. SSL Certificate Error ( Recurring too ! )
I dont have time to search forums for this bug, I know its a known issue, but in the end if this doesent get addressed, im migrating to something that works withough me needing to Fuck with MSN SSL certificates every 20 Minutes Forward this message to someone, or don't. If this isnt fixed in less than a week, I will have no choice to migrate to Empathy or another Multi-Chat client So Technically if all I have to do is the steps below, can this be scrippted into the software, to acquire new certificates whenever required, or at least to verify it on connect? Updated to the Latest Version Tried Manually Getting New Certificate --- Fixes Issue ( Executed steps listed here ) Looked like an SSL error, which I confirmed with Goggles. I mean Googles. I mean Google. Anyway, to fix it, do this: 1. Open Pidgin. Go to Tools / Certificates and you should see omega.contacts.msn.com. Delete it. 2. Then go to https://omega.contacts.msn.com . You’ll get an error on the page, but don’t worry. Just double click on the certificate icon and export the file to your Desktop or wherever. 3. Then go back into Pidgin and go to Tools / Certificates and Add it via the Certificate Manager. It should work now. Yay. Randomly, or on next connect attempt certificate Coming From an end user, I will discontinue use of this software, if it does not support MSN in a stable fashion I tried to Supply as much usefull information as possible with this message. additional info: From Log: (21:13:57) account: Connecting to account phee...@vif.com. (21:13:57) connection: Connecting. gc = 0x31867c0 (21:13:57) msn: new httpconn (0x3350e70) (21:13:57) dns: DNS query for 'messenger.hotmail.com' queued (21:13:57) dns: Wait for DNS child 4657 failed: No child processes (21:13:57) dns: Created new DNS child 4677, there are now 1 children. (21:13:57) dns: Successfully sent DNS request to child 4677 (21:13:57) dns: Got response for 'messenger.hotmail.com' (21:13:57) dnsquery: IP resolved for messenger.hotmail.com (21:13:57) proxy: Attempting connection to 64.4.45.62 (21:13:57) proxy: Connecting to messenger.hotmail.com:1863 with no proxy (21:13:57) proxy: Connection in progress (21:13:57) proxy: Connecting to messenger.hotmail.com:1863. (21:13:57) proxy: Connected to messenger.hotmail.com:1863. (21:13:57) msn: C: NS 000: VER 1 MSNP15 CVR0 (21:13:57) msn: S: NS 000: VER 1 MSNP15 (21:13:57) msn: C: NS 000: CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.5.1302 BC01 phee...@vif.com (21:13:57) msn: S: NS 000: CVR 2 14.0.8117 14.0.8117 14.0.8117 http://msgruser.dlservice.microsoft.com/download/A/6/1/A616CCD4-B0CA-4A3D-B975-3EDB38081B38/en/wlsetup-cvr.exe http://download.live.com/?sku=messenger (21:13:57) msn: C: NS 000: USR 3 SSO I phee...@vif.com (21:13:57) msn: S: NS 000: XFR 3 NS 207.46.124.62:1863 U D (21:13:57) dns: DNS query for '207.46.124.62' queued (21:13:57) dnsquery: IP resolved for 207.46.124.62 (21:13:57) proxy: Attempting connection to 207.46.124.62 (21:13:57) proxy: Connecting to 207.46.124.62:1863 with no proxy (21:13:57) proxy: Connection in progress (21:13:57) proxy: Connecting to 207.46.124.62:1863. (21:13:57) proxy: Connected to 207.46.124.62:1863. (21:13:57) msn: C: NS 000: VER 4 MSNP15 CVR0 (21:13:57) msn: S: NS 000: VER 4 MSNP15 (21:13:57) msn: C: NS 000: CVR 5 0x0409 winnt 5.1 i386 MSNMSGR 8.5.1302 BC01 phee...@vif.com (21:13:57) msn: S: NS 000: CVR 5 14.0.8117 14.0.8117 14.0.8117 http://msgruser.dlservice.microsoft.com/download/A/6/1/A616CCD4-B0CA-4A3D-B975-3EDB38081B38/en/wlsetup-cvr.exe http://download.live.com/?sku=messenger (21:13:57) msn: C: NS 000: USR 6 SSO I phee...@vif.com (21:13:57) msn: S: NS 000: GCF 0 5664 (21:13:57) msn: Processing GCF command (21:13:58) msn: S: NS 000: USR 6 SSO S MBI_KEY_OLD BCmuwXziwA3HcHv5nzwCQpIjbBng7YLhMUw937OrpcgxRD6ya+sVHIRRgU0/qOo5 (21:13:58) msn: Starting Windows Live ID authentication (21:13:58) msn: Logging on phee...@vif.com, with policy 'MBI_KEY_OLD', nonce 'BCmuwXziwA3HcHv5nzwCQpIjbBng7YLhMUw937OrpcgxRD6ya+sVHIRRgU0/qOo5' (21:13:58) dns: DNS query for 'login.live.com' queued (21:13:58) dns: Successfully sent DNS request to child 4677 (21:13:58) dns: Got response for 'login.live.com' (21:13:58) dnsquery: IP resolved for login.live.com (21:13:58) proxy: Attempting connection to 65.54.186.19 (21:13:58) proxy: Connecting to login.live.com:443 with no proxy (21:13:58) proxy: Connection in progress (21:13:58) proxy: Connecting to login.live.com:443. (21:13:58) proxy: Connected to login.live.com:443. (21:13:59) nss: subject=CN=login.live.com,OU=Passport,O=Microsoft Corporation,OID.2.5.4.9=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,OID.2.5.4.15=Private Organization,OID.1.3.6.1.4.1.311.60.2.1.2=Washington,OID.1.3.6.1.4.1.311.60.2.1.3=US issuer=CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US (21:13:59) nss: subject=CN=VeriSign Class 3
Re: Pidgin MSN Non Functional. SSL Certificate Error ( Recurring too ! )
On 11/24/2010 09:19 PM, pheedme wrote: I dont have time to search forums for this bug, I know its a known issue, but in the end if this doesent get addressed, im migrating to something that works withough me needing to Fuck with MSN SSL certificates every 20 Minutes Forward this message to someone, or don't. If this isnt fixed in less than a week, I will have no choice to migrate to Empathy or another Multi-Chat client Threats to switch to another IM client carry absolutely zero weight here. If you don't like Pidgin, you're free to use other software. We're not going to cry or lose sleep over it. We won't even be sorry or insulted. So Technically if all I have to do is the steps below, can this be scrippted into the software, to acquire new certificates whenever required, or at least to verify it on connect? Updated to the Latest Version Tried Manually Getting New Certificate --- Fixes Issue ( Executed steps listed here ) Looked like an SSL error, which I confirmed with Goggles. I mean Googles. I mean Google. The popular solution presented by a Google search is incorrect and a security risk. The *correct* solution is to upgrade to Pidgin 2.7.7 and read http://developer.pidgin.im/wiki/MSNCertIssue for details. John signature.asc Description: OpenPGP digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin MSN Non Functional. SSL Certificate Error ( Recurring too ! )
pheedme wrote: I dont have time to search forums for this bug, I know its a known It's not a bug, unless you believe that clairvoyance is an essential requirement for software developers. It was an unannounced change in the interface specification by Microsoft, an interface specification which I believe is not fully in the public domain, and which Microsoft would prefer not to be available to open source developers. Also, saying that you are not prepared to search for answers before asking is not a way to win friends amongst people who provide answers to such questions. Commercial organisations will accept such enquiries because you have paid to be able to make them. Most people providing free support in their own time, just see it as an abuse of their time. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: SSL Error MSN now AIM
On Mon, Nov 22, 2010 at 11:48:00AM -0500, Brooke Blanchard wrote: I updated to the 2.7.6 version to correct my MSN SSL error . MSN works now but now AIM is unable to log and says 'Unable to connect to authentication server: SSL Handshake Failed' Brooke Blanchard http://developer.pidgin.im/ticket/12948 -Etan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
El día Sunday, November 21, 2010 a las 12:09:39PM -0500, Etan Reisner escribió: People don't understand certificates. At all. Which is why they were perfectly willing to download certificates for the omega server from any blog/host that happened to have them up. That page is hosted on the pidgin.im server, the pem files come from the pidgin source, those exact files will be in the next release of pidgin which people will implicitly trust when they upgrade, etc. Any text talking about verifying things is going to complicate and confuse the situation more than I think it could possibly help though I do appreciate the thinking that goes into requesting it. I'm open to adding a note to the bottom explaining the potential dangers with doing this sort of thing but anything more than that I think would be too much. I've right now compiled 2.7.6 on FreeBSD 8.x. It has two issues: 1) the MSN certificate issue; the certificate is not validated after the start of pidgin; it takes a while and it seems that if pidgin contacts some of the *.contacts server it works, while it does not for others; I could run it with --debug to get a list of the IP addrs... 2) to get NLS support (for example a Spanish GUI) I must run the ./configure as: $ CFLAGS='-I/usr/local/include' CPPFLAGS='-I/usr/local/include' ./configure --disable-nm --disable-tc and enable '#define ENABLE_NLS 1' in config.h by hand; this was already the case with 2.6.2 and easy to solve, because I saved the old mail :-) Thanks for your work in any case matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
El día Monday, November 22, 2010 a las 10:35:36AM +0100, Matthias Apitz escribió: I've right now compiled 2.7.6 on FreeBSD 8.x. It has two issues: 1) the MSN certificate issue; the certificate is not validated after the start of pidgin; it takes a while and it seems that if pidgin contacts some of the *.contacts server it works, while it does not for others; I could run it with --debug to get a list of the IP addrs... and here is the data from the debug log: Pidgin resolves via DNS for omega.contacts.msn.com 5 times the IP addr 207.46.113.78 which has the following certificates: (13:08:31) gnutls/x509: Key print: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b (13:08:31) gnutls/x509: Key print: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05 (13:08:31) gnutls/x509: Key print: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25 Then it resolves to 207.46.118.183 which has other certificates: (13:16:03) gnutls/x509: Key print: c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36 (13:16:03) gnutls/x509: Key print: 3a:dd:0e:7e:a2:b2:84:ff:45:9e:13:73:65:b4:82:d1:88:df:bf:8a (13:16:03) gnutls/x509: Key print: e5:95:8d:48:fe:10:d7:34:03:11:e8:c0:3b:b2:29:40:da:ba:2d:a3 and it can verify with success: (13:16:03) certificate: Successfully verified certificate for omega.contacts.msn.com i.e. it depends of the server in question :-( HIH matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
SSL Error MSN now AIM
I updated to the 2.7.6 version to correct my MSN SSL error . MSN works now but now AIM is unable to log and says 'Unable to connect to authentication server: SSL Handshake Failed' Brooke Blanchard Estimating Assistant Farmer Irwin Corporation 3300 Avenue K Riviera Beach, FL 33404 Voice: (561) 842-5316 x 373 Fax: (561) 848-3786 http://www.fandicorp.com/ www.fandicorp.com P please consider the environment before printing this email. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Pidgin SSL-certificate error
Hello, I have read the FAQ on the pidgin side, but I don't understand the instructions at all. My version of pidgin is giving an error that says exactly this: The certificate for omega.contacts.msn.com could not be validated. The certificate chain presented is invalid. I have not the faintest Idea what I should do about this. I tried restarting both pidgin and the computer, but neither of these things worked. I'm not about to mess with anything I don't know about, so I didn't try anything else. Is there anyone who can explain to me how I can solve this? Thanks in advance, Komiyan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin SSL-certificate error
Carlijn Gerrits wrote: I have read the FAQ on the pidgin side, but I don't understand the instructions at all. Microsoft have messed up a security feature of the site. If you don't understand what you are doing, you should get someone you personally trust, and who is competent, to make the changes. The mechanism in question is about giving you a high level of certainty that you are dealing with the actual MSN server. You do not have that level of certainty that the information that you receive on this list or from the bug tracker is actually coming, unaltered, from those. You need to make an informed risk assessment before following any instructions. I have not the faintest Idea what I should do about this. I tried restarting both pidgin and the computer, but neither of these things worked. Restarting the computer is a sledge hammer approach, and generally will not work if the problem is a real problem introduced by a change made at either end, and in particular, in this case, one made at the remote end. The official client was probably updated, securely, in advance of this change, and, as Microsoft don't approve of the use of third party, open source, clients, they probably don't care that they have broken access from Pidgin. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
On Sun, Nov 21, 2010 at 02:35:14PM +0100, Marvin Crazy Al Jansen wrote: Dear sir/madam, as you probably know, Pidgin on Maemo has been having difficulties with the MSN certificates, omega.contacts.msn.com in particular. I tried fixing this by searching on Google, but it did me no help. The two most useful sites were on maemo.org (http://talk.maemo.org/showthread.php?t=65926highlight=pidgin+certificate) and on tweakers.net (http://gathering.tweakers.net/forum/list_message/35061610#35061610) (Dutch). Basically, I'm stuck. According to these I would need to delete the omega.contacts.msn.com certificates and it would automatically redownload them, but this is not the case. Is there some way to fix this? Due to network issues (Yay netherlands!) the only working IM on N900 is Pidgin, and now I've lost that too. Is there a way to fix this? Kind regards, Marvin Jansen, The Netherlands I'm going to single you out becuase you are convenient not because you are different or worse than the other people. There have been any number of emails sent to this mailing list about this problem with a large number of responses containing the solutions. Please search before posting to avoid re-asking identical questions and requiring someone (like me) to decide whether taking the time to answer the question Yet Again is worth the time or whether leaving your email hang and hoping you find the other answers is an acceptable thing to do. To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue If you are a member of those forums please post there indicating that the directions to replace the omega certificate directly are incorrect and that the correct instructions are available at the link I just gave you. -Etan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
Etan Reisner wrote: To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue As this is telling people to do something potentially dangerous, I think it should also tell them to check that the issuer and subject on each certificate is different, i.e. that they are not being fed a potentially bogus root certificate. It may be safe to fetch the intermediate certificates from an untrusted source, but only if they really are only intermediate ones. At least I think that is true, but it is possible that openssl will stop when it finds a locally trusted intermediate certificate, in which case they need to verify the certificate chain before installing them. I know that some browsers will accept a locally trusted leaf certificate, even though they don't trust the corresponding root. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
On Sun, Nov 21, 2010 at 04:45:34PM +, David Woolley wrote: Etan Reisner wrote: To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue As this is telling people to do something potentially dangerous, I think it should also tell them to check that the issuer and subject on each certificate is different, i.e. that they are not being fed a potentially bogus root certificate. It may be safe to fetch the intermediate certificates from an untrusted source, but only if they really are only intermediate ones. At least I think that is true, but it is possible that openssl will stop when it finds a locally trusted intermediate certificate, in which case they need to verify the certificate chain before installing them. I know that some browsers will accept a locally trusted leaf certificate, even though they don't trust the corresponding root. People don't understand certificates. At all. Which is why they were perfectly willing to download certificates for the omega server from any blog/host that happened to have them up. That page is hosted on the pidgin.im server, the pem files come from the pidgin source, those exact files will be in the next release of pidgin which people will implicitly trust when they upgrade, etc. Any text talking about verifying things is going to complicate and confuse the situation more than I think it could possibly help though I do appreciate the thinking that goes into requesting it. I'm open to adding a note to the bottom explaining the potential dangers with doing this sort of thing but anything more than that I think would be too much. -Etan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
SSL Certificate error
Hello, I have this error: http://postimage.org/image/23wkqij50/ during the Pidgin start. Why ? Regards, Emil Sekula ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
RE: SSL Certificate error
Emil Sekula wrote: I have this error: http://postimage.org/image/23wkqij50/ during the Pidgin start. Why ? I had running Pidgin with a MSN account the entire day. When I saw these mails I disabled the MSN account and after a few seconds I enabled it. It connected without errors. The I closed Pidgin and started it again. Now it gave me the same error dialog. Using v2.7.5 on Windows XP. Regards, David ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support