Re: SSL Certificate

[David Woolley]

On 24/10/2022 16:23, Sarah O. wrote:


We had a pop stating that our SSL Certificate had expired. How do we go
about fixing that?


This will be the certificate on the server, not anything that is under 
pidgin's control.  Pidgin is an, open source, messaging client that can 
work with many types of server, including some public services, so there 
is no simple answer to your question.


Also certificates have to be signed by a trusted third party (e.g. 
Verisign, or LetsEncrypt, or even your own corporate one).  Details of 
the procedure will also depend on which is being used.  (If you are 
FurnaceFilterKing, the trusted third party for your public web site is 
DigiCert Inc.  However, your internal server might be using the old 
branding and might have a different certifier.)




We need to add another account for an employee, how do we do that? Please
Reply all when replying back to this email.


Again, this is something that needs to be done on the server, not on 
pidgin.  Once you have created the account, you can then configure the 
new employee's pidgin to access it.


Also note that there is no formal support organisation for Pidgin.  This 
mailing list is answered by users.


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

SSL Certificate

[Sarah O.]

Good morning,

We had a pop stating that our SSL Certificate had expired. How do we go
about fixing that?

We need to add another account for an employee, how do we do that? Please
Reply all when replying back to this email.

Thank you.

Sarah O.
Sales Support Specialist

GTA 416.FILTERS (345.8377)
Toll-Free 1.866.998.9909
https://envirofilters.com

DISCLAIMER: This email and its attachments may be confidential and are
intended only for the individual or entity to which it is addressed and may
contain information which is privileged, confidential and prohibited from
disclosure or unauthorized use under applicable law. if you are not the
intended recipient of this e-mail and its attachments, you must take no
action based upon them, nor copy this email. Please contact the sender by
email if you believe you have received this email in error.
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: ssl connection fail

[Gary Kramlich]

On 3/15/22 22:17, Jack Sidebottom wrote:
Lost contact during storms 3/14. Recovered about 22:00 CDT. continued 
functioning until 3/15 @17:38 CDT


This all looks like pretty standard stuff for a a service interruption 
regardless of how it started.



Debug window contents from log-in attempt:

(22:13:33) *proxy:* Connecting to lightwitch.org:5222.
(22:13:33) *proxy:* Error connecting to lightwitch.org:5222 (Connection 
timed out.).


This is usually caused by an internet connection not being fully ready.


(22:13:35) *proxy:* Connecting to meaveen.lightwitch.org:443.
(22:13:35) *proxy:* Error connecting to meaveen.lightwitch.org:443 
(Connection refused.).

(22:13:35) *proxy:* Connection attempt failed: Connection refused.


The remote server was not accepting connections.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: SSL Connection failed

[Eion Robb]

Hi again,

Looking at the logs it's showing that you're being blocked from the server

(11:31:41) proxy: Error connecting to lightwitch.org:5222 (Connection timed
out.).

I can access their server ok from here.

You might have tripped some kind of anti spam protection or something like
that. You'll need to get in contact with the lightwitch.org server admins
and see if they're blocking your ip?

Cheers,
Eion

On Sun, 13 Jun 2021, 04:39 Jack Sidebottom,  wrote:

> Attached latest debug after having done warm boot and cold boot. I have no
> idea how/where to find any info re: SSL or NSS/TLS errors other than this
> debug report. If you can tell me how to find those errors I will try.
> On 6/12/2021 03:55, Eion Robb wrote:
>
> Hi Jack,
>
> You might get more info out of the Help->Debug Window as you reconnect.
> (Although, when I try to connect to the lightwitch.org xmpp server from
> here, I'm getting a certificate for aria-net.org instead of lightwitch.org
> so not sure what's going on there.)
>
> If you're able to attach any SSL or NSS/TLS errors then we can have a look
> and try work out next steps (might be something that can be resolved by
> configuring the Tools->Plugins->NSS Preferences  plugin)
>
> Cheers,
> Eion
>
> On Sat, 12 Jun 2021 at 12:15, Jack Sidebottom  wrote:
>
>> Have attached debug log so you can see exactly what is happening.
>>
>> Win 7, 5 gig cable internet connection (on-line for several days now).
>> Closed screensaver and found Pidgin disconnected with
>> "eiskr...@lightwitch.org/home disconnected" and notice of new 2.14.5
>> version. Installed new version, tried to start Pidgin, get "SSL
>> Connection failed"
>>
>> What do I do now? Everything else is fully functional.
>>
>>
>>
>> --
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>> ___
>> Support@pidgin.im mailing list
>> Want to unsubscribe?  Use this link:
>> https://lists.pidgin.im/listinfo/support
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient_term=icon>
>  Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient_term=link>
> <#m_2656176607256133675_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: SSL Connection failed

[Eion Robb]

Hi Jack,

You might get more info out of the Help->Debug Window as you reconnect.
(Although, when I try to connect to the lightwitch.org xmpp server from
here, I'm getting a certificate for aria-net.org instead of lightwitch.org
so not sure what's going on there.)

If you're able to attach any SSL or NSS/TLS errors then we can have a look
and try work out next steps (might be something that can be resolved by
configuring the Tools->Plugins->NSS Preferences  plugin)

Cheers,
Eion

On Sat, 12 Jun 2021 at 12:15, Jack Sidebottom  wrote:

> Have attached debug log so you can see exactly what is happening.
>
> Win 7, 5 gig cable internet connection (on-line for several days now).
> Closed screensaver and found Pidgin disconnected with
> "eiskr...@lightwitch.org/home disconnected" and notice of new 2.14.5
> version. Installed new version, tried to start Pidgin, get "SSL
> Connection failed"
>
> What do I do now? Everything else is fully functional.
>
>
>
> --
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://lists.pidgin.im/listinfo/support
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

SSL Connection failed

[Jack Sidebottom]

Have attached debug log so you can see exactly what is happening.

Win 7, 5 gig cable internet connection (on-line for several days now). 
Closed screensaver and found Pidgin disconnected with 
"eiskr...@lightwitch.org/home disconnected" and notice of new 2.14.5 
version. Installed new version, tried to start Pidgin, get "SSL 
Connection failed"


What do I do now? Everything else is fully functional.



--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

[Rodney D. Myers]

On 10/29/20 3:19 PM, Wade Smart wrote:
> Wouldnt that depend on the service you are using?
> -- Registered Linux User: #480675 Registered Linux Machine: #408606
> Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers
>  wrote:
>> Has anyone else started getting;

XMPP, which was the default when I set it up.

using void linux, if that matters

-- 
Rodney D. Myers  - wg4usa

They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
Ben Franklin - 1759

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Hangouts ssl error

[Rodney D. Myers]

Has anyone else started getting;


SSL handshake failure?

-- 
Rodney D. Myers  - wg4usa

They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
Ben Franklin - 1759
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

[Eion Robb]

Hi Rodney,

Glad to hear that worked for you :)

Unfortunately it wasn't picked up by Mozilla until it was already released,
as they added in a 'compat mode' flag into Firefox that masked the problem
for them, but broke every other app that uses NSS.

If you're interested, you can read a bit more about the bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=1672703

Cheers,
Eion

On Fri, 30 Oct 2020 at 10:42, Rodney D. Myers 
wrote:

> That worked, once I found the plugin and enabled it
>
> Thank you
>
> On 10/29/20 5:35 PM, Eion Robb wrote:
> > There was a bug introduced in the most recent version of libnss that
> > prevents it talking to most servers with SSL. It's fixed in an
> > unreleased version of nss
> >
> > As a workaround (assuming this is the problem you're getting) you can
> > limit the max version of TLS in the Tools->Plugins->NSS Preferences
> > config screen to TLS 1.2
> >
> > Hopefully that helps resolve the issue, but if not please let us know
> > and we can start down the path of getting more debug details
> >
> > Cheers,
> > Eion
> >
> > On Fri, 30 Oct 2020, 09:09 Rodney D. Myers,  > <mailto:rodneymyer...@yahoo.com>> wrote:
> >
> > On 10/29/20 3:19 PM, Wade Smart wrote:
> > > Wouldnt that depend on the service you are using?
> > > -- Registered Linux User: #480675 Registered Linux Machine: #408606
> > > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D.
> Myers
> > > mailto:rodneymyer...@yahoo.com>> wrote:
> > >> Has anyone else started getting;
> >
> > XMPP, which was the default when I set it up.
> >
> > using void linux, if that matters
> >
> > --
> > Rodney D. Myers mailto:wg4...@arrl.net>> - wg4usa
> >
> > They that can give up essential liberty to obtain a
> > little temporary safety deserve neither liberty nor safety.
> > Ben Franklin - 1759
> >
> > ___
> > Support@pidgin.im <mailto:Support@pidgin.im> mailing list
> > Want to unsubscribe?  Use this link:
> > https://lists.pidgin.im/listinfo/support
> >
>
>
> --
> Rodney D. Myers  - wg4usa
>
> They that can give up essential liberty to obtain a
> little temporary safety deserve neither liberty nor safety.
> Ben Franklin - 1759
>
>
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

[Eion Robb]

There was a bug introduced in the most recent version of libnss that
prevents it talking to most servers with SSL. It's fixed in an unreleased
version of nss

As a workaround (assuming this is the problem you're getting) you can limit
the max version of TLS in the Tools->Plugins->NSS Preferences config screen
to TLS 1.2

Hopefully that helps resolve the issue, but if not please let us know and
we can start down the path of getting more debug details

Cheers,
Eion

On Fri, 30 Oct 2020, 09:09 Rodney D. Myers,  wrote:

> On 10/29/20 3:19 PM, Wade Smart wrote:
> > Wouldnt that depend on the service you are using?
> > -- Registered Linux User: #480675 Registered Linux Machine: #408606
> > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers
> >  wrote:
> >> Has anyone else started getting;
>
> XMPP, which was the default when I set it up.
>
> using void linux, if that matters
>
> --
> Rodney D. Myers  - wg4usa
>
> They that can give up essential liberty to obtain a
> little temporary safety deserve neither liberty nor safety.
> Ben Franklin - 1759
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://lists.pidgin.im/listinfo/support
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

[Wade Smart]

Wouldnt that depend on the service you are using?
-- 
Registered Linux User: #480675
Registered Linux Machine: #408606
Linux since June 2005

On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers  wrote:
>
> Has anyone else started getting;
>
>
> SSL handshake failure?
>
> --
> Rodney D. Myers  - wg4usa
>
> They that can give up essential liberty to obtain a
> little temporary safety deserve neither liberty nor safety.
> Ben Franklin - 1759
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://lists.pidgin.im/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Urgent - SSL Connection Failed

[Eion Robb]

Hi Deepshikha,

Oracle users need to contact their Tech Support people.  We as Pidgin
developers can't do anything about your server.

Regards,
Eion

On Mon, 18 Mar 2019 at 18:08, Deepshikha Goel 
wrote:

> Hi All
>
> I need urgent help in pidgin, not able to connect.
>
> getting error : SSL Connection Failed
>
> Thanks
> Deepshikha
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Urgent - SSL Connection Failed

[Deepshikha Goel]

Hi All

I need urgent help in pidgin, not able to connect.

getting error : SSL Connection Failed

Thanks
Deepshikha

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Urgent :: SSL Connection Failed

[Deepshikha Goel]

Hi All

Need urgent help, not able to connect pidgin.
Getting error: SSL Connection Failed

Thanks
Deepshikha

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Problem with ssl handshake

[Shlomi Fish]

On Mon, 4 Jun 2018 12:12:28 +0100 (BST)
Dimitar Slavov  wrote:

> Hello,
> 
> I was using pidgin for a long time in an office environment but ever since
> I've updated one of the office PCs to fedora 28 Pidgin started having the
> error SSL Handshake Failed. I have another PC that is still using fedora 27
> and I am not getting that error there. The configuration is exactly the same
> as i am using FreeIPA and it is set up to distribute the home directory of
> the users along all the office PCs. Can you please suggest a solution? 
> 

Hi,

please see https://developer.pidgin.im/wiki/TipsForBugReports ; also - which
protocol/service?

> Kind Regards
> Dimitar Slavov
> 
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support


-- 
-
Shlomi Fish   http://www.shlomifish.org/
Apple Inc. is Evil - http://www.shlomifish.org/open-source/anti/apple/

I come to bury Caesar, not to praise him.
— https://en.wikiquote.org/wiki/Julius_Caesar_%28play%29

Please reply to list if it's a mailing list post - http://shlom.in/reply .

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Problem with ssl handshake

[Dimitar Slavov]

Hello,

I was using pidgin for a long time in an office environment but ever since I've 
updated one of the office PCs to fedora 28 Pidgin started having the error SSL 
Handshake Failed.
I have another PC that is still using fedora 27 and I am not getting that error 
there. The configuration is exactly the same as i am using FreeIPA and it is 
set up to distribute the home directory of the users along all the office PCs.
Can you please suggest a solution? 

Kind Regards
Dimitar Slavov

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

REG:pidgin SSL certificate expired issue

[muth...@egrovesystems.com]

Hi,
 I have found one new issue.When i restart openfire in server,Pidgin webconsole 
starting new setup again and password is not working.

--
Regards
Nallamuthu M
System Admin
eGrove Systems Corporation
Ph.No:7845436411
Email:muth...@egrovesystems.com
website:www.egrovesys.com

 
Disclaimer:
// Please reply with remove in the subject line, if you don't want to receive 
email of this nature in future and we apologize for the inconvenience caused.// 
/// This email including any attachments is for the sole use of the intended 
recipient(s) and may contain confidential and/or proprietary and/or copyrighted 
information. Unauthorized use or disclosure or distribution is strictly 
prohibited. Please contact the sender if you received this email in error and 
delete this email///
 


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: REG:pidgin SSL certificate expired issue

[Eion Robb]

Hi Nallamuthu,

Can you send a screenshot of what you mean?  Could be a few different
certificates you might be talking about.

Cheers,
Eion

On 20 February 2018 at 23:02, muth...@egrovesystems.com <
muth...@egrovesystems.com> wrote:

> Hi Team,
> We have issue on pidgin SSL certificate expired,It is showing ssl
> certificate expired and check your date and time.Kindly help us
>
>
> --
> Regards
> Nallamuthu M
> System Admin
> eGrove Systems Corporation
> Ph.No:7845436411
> Email:muth...@egrovesystems.com
> website:www.egrovesys.com
>
>
> Disclaimer:
> // Please reply with remove in the subject line, if you don't want to
> receive email of this nature in future and we apologize for the
> inconvenience caused.// /// This email including any attachments is for the
> sole use of the intended recipient(s) and may contain confidential and/or
> proprietary and/or copyrighted information. Unauthorized use or disclosure
> or distribution is strictly prohibited. Please contact the sender if you
> received this email in error and delete this email///
>
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

REG:pidgin SSL certificate expired issue

[muth...@egrovesystems.com]

Hi Team,
We have issue on pidgin SSL certificate expired,It is showing ssl certificate 
expired and check your date and time.Kindly help us


--
Regards
Nallamuthu M
System Admin
eGrove Systems Corporation
Ph.No:7845436411
Email:muth...@egrovesystems.com
website:www.egrovesys.com

 
Disclaimer:
// Please reply with remove in the subject line, if you don't want to receive 
email of this nature in future and we apologize for the inconvenience caused.// 
/// This email including any attachments is for the sole use of the intended 
recipient(s) and may contain confidential and/or proprietary and/or copyrighted 
information. Unauthorized use or disclosure or distribution is strictly 
prohibited. Please contact the sender if you received this email in error and 
delete this email///
 

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: how to change account info and connect through TLS/SSL

[Eion Robb]

Hi there,

The advanced tab is how you change connection settings, yes.  The "Require
Encryption" option is indeed SSL/TLS, and the account will disconnect if it
can't negotiate a secure SSL/TLS connection with the server.

Cheers,
Eion

On 26 December 2017 at 14:56, jerry <jerr...@disroot.org> wrote:

> in accounts > manage accounts > selecting account and modify > advanced tab
>
> in connection security it's on "require encryption"
>
> is that the same as TLS/SSL or something secure or something like this?
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

how to change account info and connect through TLS/SSL

[jerry]

in accounts > manage accounts > selecting account and modify > advanced tab

in connection security it's on "require encryption"

is that the same as TLS/SSL or something secure or something like this?

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Getting crashes in ssl-nss.dll

[pidgin]

Very sporadic, but twice today (while chatting on XMPP)

Windows Version 6.2 Build 9200

C:\Program Files (x86)\Pidgin\pidgin.exe caused an Access Violation at location 
5bc321d2 in module C:\Program Files (x86)\Pidgin\plugins\ssl-nss.dll Reading 
from location 0004.

Registers:
eax= ebx= ecx=0001 edx=027f9d48 esi= edi=5c3e2b04
eip=5bc321d2 esp=0061ece0 ebp=0061edd8 iopl=0 nv up ei pl zr na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00210246

Call stack:
5BC321D2 C:\Program Files (x86)\Pidgin\plugins\ssl-nss.dll
 C:\Program Files (x86)\Pidgin\pidgin.dll [2.12.0.0]
5C4AFA48 C:\Program Files (x86)\Pidgin\pidgin.dll  pidgin_docklet_uninit
 C:\Program Files (x86)\Pidgin\Gtk\bin\libglib-2.0-0.dll [2.28.8.0]
685EB90D C:\Program Files (x86)\Pidgin\Gtk\bin\libglib-2.0-0.dll  
g_main_context_dispatch
685EBD9D C:\Program Files (x86)\Pidgin\Gtk\bin\libglib-2.0-0.dll  
g_main_loop_run
 C:\Program Files (x86)\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll [2.16.6.0]
61854260 C:\Program Files (x86)\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll  gtk_main


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL certificate error - Unable to validate certificate

[Frank Bratman]

I have reinstalled pidgin and it has seemed to stop. Thank you and I 
will let you know if it continues.


THX


On 5/23/2017 3:31 PM, David Woolley wrote:

On 23/05/17 23:12, Frank Bratman wrote:

Can you please help me. I have used this app for years and now a
problem. I have accepted it many times.


It looks to me as though you have failed to keep your root 
certificates up to date (quite possibly an OS level thing) and gmail 
has started using newer one.  Using View Certificate may give a better 
clue.




___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL certificate error - Unable to validate certificate

[David Woolley]

On 23/05/17 23:12, Frank Bratman wrote:

Can you please help me. I have used this app for years and now a
problem. I have accepted it many times.


It looks to me as though you have failed to keep your root certificates 
up to date (quite possibly an OS level thing) and gmail has started 
using newer one.  Using View Certificate may give a better clue.


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL certificate error - Unable to validate certificate

[Eion Robb]

Hi Frank,

What version of Pidgin are you using?  On what operating system?

Cheers,
Eion

On 24 May 2017 at 10:12, Frank Bratman  wrote:

> Can you please help me. I have used this app for years and now a problem.
> I have accepted it many times.
>
> Frank
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support
>
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

SSL certificate error - Unable to validate certificate

[Frank Bratman]

Can you please help me. I have used this app for years and now a 
problem. I have accepted it many times.


Frank
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL connection failed message

[Eion Robb]

Hi Anne,

Just wanted to check, are you the same person that messaged in IRC as well
as leaving a support ticket in trac?
https://developer.pidgin.im/ticket/17126#comment:1

Cheers,
Eion

On 30 November 2016 at 13:07, Anne Hutchinson 
wrote:

> Hello,
>
> Can anyone help me with this issue? I have tried everything I could thank
> of.
>
>
> Thanks.
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support
>
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

SSL connection failed message

[Anne Hutchinson]

Hello,

Can anyone help me with this issue? I have tried everything I could thank
of.


Thanks.
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: How to get pidgin working on a server with no SSL cert

[Eion Robb]

Hi Dan,

I've just tried to connect to that XMPP server and I get a 'verify
certificate' popup once, for the self-signed certificate running on it.
Once you accept the certificate you shouldn't be bothered by it again, and
it'll show up in Tools->Certificates.

A website certificate can be different to an XMPP certificate, so trying to
extract the cert from the website won't get you far.

You can also point your server admin at services such as "Lets Encrypt" or
"Start Encrypt" which offer free, automated certificate systems.

Cheers,
Eion

On 26 June 2016 at 03:11, dan bowser <bowsercomma...@gmail.com> wrote:

> Hello,
>
> I'm trying to get Pidgin to work with a jabber server run by mordus
> angels, it's an eve online group. After I tried a few solutions offered by
> google, which involved manually retrieving the SSL cert via Firefox or
> console command, I spoke with the server admin and confirmed that the host,
> http://mordusangels.net/, doesn't have an SSL certificate. Since he was
> pretty firm about being too lazy to get an SSL certificate I'd like to know
> if there's a way to just ignore the certification all together?
>
> Regards,
> Dan
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://pidgin.im/cgi-bin/mailman/listinfo/support
>
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

How to get pidgin working on a server with no SSL cert

[dan bowser]

Hello,

I'm trying to get Pidgin to work with a jabber server run by mordus angels,
it's an eve online group. After I tried a few solutions offered by google,
which involved manually retrieving the SSL cert via Firefox or console
command, I spoke with the server admin and confirmed that the host,
http://mordusangels.net/, doesn't have an SSL certificate. Since he was
pretty firm about being too lazy to get an SSL certificate I'd like to know
if there's a way to just ignore the certification all together?

Regards,
Dan
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin: SSL Handshake Failed

[Michael McConville]

On Wed, Jul 22, 2015 at 05:27:13PM +, Daniel Maher wrote:
 I've recently downloaded Tails 1.4.1, and whenever I try to connect to
 the Tails chat 'c3...@irc.oftc.net' I get the message SSL Handshake
 Failed, or ERROR: Closing Link (No more connections permitted from
 your host).
 
 I would really appreciate any help at all.

This has been happening to me, too. I suspect that OFTC was getting
flooding or DDoS attacks through Tor and had to block or throttle the
number of Tor connections allowed. It's been that way for at least a few
weeks. I haven't bothered to look into it, but I bet you can find some
disgruntled people on the Tor mailing lists.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin: SSL Handshake Failed

[Kevin Kretz]

I started getting that same error on some of my linux desktops a few days ago.  
I tracked it down to a mozilla-nss update that seems to have broken pidgin SSL 
connections to OpenFire XMPP server.

We're using pidgin-2.10.10 but recompiling 2.10.11 from source still has the 
problem.  Forcing pidgin to use gnutls library instead is a workaround. 

- Original Message -
From: Daniel Maher daniel.gwyn.ma...@gmail.com
To: support@pidgin.im
Sent: Wednesday, July 22, 2015 1:27:13 PM
Subject: Pidgin: SSL Handshake Failed

Hi, 

I've recently downloaded Tails 1.4.1, and whenever I try to connect to the 
Tails chat ' c3...@irc.oftc.net ' I get the message SSL Handshake Failed, or 
ERROR: Closing Link (No more connections permitted from your host). 

I would really appreciate any help at all. 

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Pidgin: SSL Handshake Failed

[Daniel Maher]

Hi,

I've recently downloaded Tails 1.4.1, and whenever I try to connect to the
Tails chat 'c3...@irc.oftc.net' I get the message SSL Handshake Failed, or
ERROR: Closing Link (No more connections permitted from your host).

I would really appreciate any help at all.
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

getting SSL handshake failed

[Joyce Hall]

hi, trying to login with google talk, getting a SSL  handshake failed
error. how do i fix that? thank you.
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error

[Pablo Diaz]

Hi Gentlemen,

Just checking to see what else I should try doing. 



On Monday, November 17, 2014 8:23 AM, Pablo Diaz pa...@yahoo.com wrote:
 


Hi Mark,

I did have this setting enabled and tried toggling it but no luck.


Sent from my Verizon Wireless 4G LTE smartphone
Hi Mark,

I did have this setting enabled and tried toggling it but no luck.


Sent from my Verizon Wireless 4G LTE smartphone
brbrdiv Original message /divdivFrom: Mark Doliner 
m...@kingant.net /divdivDate:11/16/2014  3:26 PM  (GMT-08:00) 
/divdivTo: Wade Smart wadesm...@gmail.com /divdivCc: Pablo Diaz 
pa...@yahoo.com,support@pidgin.im /divdivSubject: Re: SSL Error 
/divdivbr/div

On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote:
 Change your setting to, use encryption if available

Note that this could allow a man-in-the-middle to eavesdrop on
anything you send and receive using the account. Where
man-in-the-middle could be the operator of whatever local network
you're using (coffee shop wifi, etc), your ISP, the government, etc.

On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote:
 Change your setting to, use encryption if available

Note that this could allow a man-in-the-middle to eavesdrop on
anything you send and receive using the account. Where
man-in-the-middle could be the operator of whatever local network
you're using (coffee shop wifi, etc), your ISP, the government, etc.___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error

[Mark Doliner]

On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote:
 Change your setting to, use encryption if available

Note that this could allow a man-in-the-middle to eavesdrop on
anything you send and receive using the account. Where
man-in-the-middle could be the operator of whatever local network
you're using (coffee shop wifi, etc), your ISP, the government, etc.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error

[Wade Smart]

Change your setting to, use encryption if available and your port should
still be 5222.
--
Registered Linux User: #480675
Registered Linux Machine: #408606
Linux since June 2005


On Mon, Nov 10, 2014 at 11:02 AM, Pablo Diaz pa...@yahoo.com wrote:
 I keep having an issue trying to connect to my FB account.  I've tried all
 possible from what I have found in forums but it doesn't seem to work.

 I have the SSL error.

 Not sure what else to do.  If there is anything else I can try I would
 really appreciate it.




 ___
 Support@pidgin.im mailing list
 Want to unsubscribe?  Use this link:
 https://pidgin.im/cgi-bin/mailman/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

RE: SSL Certificate Error

[Tomas Sidenfaden]

Hi Ethan,



I'm not sure it did. This is a Dell from work. I had it working on my prior 
computer, but it does not seem to work on this one. My company does have a 
firewall, though I'm confused why I could access AIM on my older machine. 
Please let me know what you recommend?



My friend suggested the following, but I can't seem to access that link and I 
don't know the destination path on my computer. Please advise:





People experiencing the AIM certificate problem can save this file to Pidgin's 
ca-certs directory: 
https://hg.pidgin.im/pidgin/main/raw-file/4e027bce3693/share/ca-certs/Entrust.net_2048.pem



For me that's /usr/share/purple/ca-certs/







-Original Message-
From: Ethan Blanton [mailto:e...@pidgin.im]
Sent: Friday, February 14, 2014 4:04 PM
To: Tomas Sidenfaden
Cc: Mark Doliner; support@pidgin.im
Subject: Re: SSL Certificate Error



Tomas Sidenfaden spake unto us the following wisdom:

 Thanks for getting back to me. The first error is Server closed the

 connection quickly followed by Received Invalid data on connection

 with server. I am trying to log into my AOL messenger account through

 Pidgin.



 Does that help?



Yeah, it does.  That's not an SSL certificate error.  You probably have a 
firewall between you and the AIM servers that's causing a problem.  Has it ever 
worked on this computer?  If so, what changed when it stopped working?



Ethan
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Certificate Error

[Ethan Blanton]

Tomas Sidenfaden spake unto us the following wisdom:
 I'm not sure it did. This is a Dell from work. I had it working on my
 prior computer, but it does not seem to work on this one. My company
 does have a firewall, though I'm confused why I could access AIM on my

I don't know.  I don't know how to check from Windows, either.
Someone else might.

 My friend suggested the following, but I can't seem to access that
 link and I don't know the destination path on my computer. Please
 advise:

This isn't the certificate problem, so that won't help.

Ethan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

SSL Certificate Error

[Tomas Sidenfaden]

Hi.

I updated to 2.10.9 but I am still getting the SSL certificate error. What can 
I do?

Tomás Sidenfaden
Product Manager
Guitar Center, Inc.

Phone: (818) 735-8800 x2033
Cell: (323) 363-4633
Fax: (818) 735-8883
tsidenfa...@guitarcenter.com

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Certificate Error

[Mark Doliner]

On Fri, Feb 14, 2014 at 11:00 AM, Tomas Sidenfaden
tsidenfa...@guitarcenter.com wrote:
 I updated to 2.10.9 but I am still getting the SSL certificate error. What
 can I do?

Hi Tomas. Can you please be more specific? What protocol account is
triggering the error? What does the error say, exactly?

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

RE: SSL Certificate Error

[Tomas Sidenfaden]

Hi Mark!

Thanks for getting back to me. The first error is Server closed the 
connection quickly followed by Received Invalid data on connection with 
server. I am trying to log into my AOL messenger account through Pidgin.

Does that help?

-Original Message-
From: Mark Doliner [mailto:m...@kingant.net] 
Sent: Friday, February 14, 2014 12:43 PM
To: Tomas Sidenfaden
Cc: support@pidgin.im
Subject: Re: SSL Certificate Error

On Fri, Feb 14, 2014 at 11:00 AM, Tomas Sidenfaden 
tsidenfa...@guitarcenter.com wrote:
 I updated to 2.10.9 but I am still getting the SSL certificate error. 
 What can I do?

Hi Tomas. Can you please be more specific? What protocol account is triggering 
the error? What does the error say, exactly?
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Certificate Error

[Ethan Blanton]

Tomas Sidenfaden spake unto us the following wisdom:
 Thanks for getting back to me. The first error is Server closed the
 connection quickly followed by Received Invalid data on connection
 with server. I am trying to log into my AOL messenger account through
 Pidgin.
 
 Does that help?

Yeah, it does.  That's not an SSL certificate error.  You probably
have a firewall between you and the AIM servers that's causing a
problem.  Has it ever worked on this computer?  If so, what changed
when it stopped working?

Ethan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[David Woolley]

On 14/10/13 22:39, Ethan Blanton wrote:


Oh, OTR.  This is a problem for the OTR plugin.  We started


I'm afraid I failed to spot that this was on OTR one, rather than a 
corporate lock down one.  (They often have rather conflicting aims.**)


 * Secure all communications, untrusted local storage
 * Secure all communications, trusted local storage


I'm afraid you will need better descriptions.  My first thought was that 
the average user wouldn't make the connection between trusted local 
storage and logs.  On further thought, if you don't actually trust local 
storage, you can't trust the certificates, or the program code.




My pushback on this is that the complexity of implementation is pretty
high, and I don't really think the benefit is that large.  I wouldn't
implement it, but if somebody handed it to me and it was good, I would
probably take it.


Of course, being open source, the OP can always fork their own version 
of the code, remembering to change the branding and the embedded support 
address.


** E.g. corporate IT departments usually want to ensure that 
conversations are logged but in a way that doesn't allow the employee to 
manipulate them.


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Brian Morrison]

On Tue, 15 Oct 2013 10:34:11 +0100
Ralf Skyper Kaiser wrote:

 1. OTR: encrypt messages by default (private messaging).
 - Out of scope. Can only be fixed within the OTR plugin (developers
 disappeared).

I don't think the OTR developers have disappeared, only that they
haven't been on this list. They're on the cypherpunks list, or at least
they were roughly 10 days ago.

-- 

Brian Morrison

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ralf Skyper Kaiser]

David,

can you clarify this quote from you please:

That goes against the general philosophy of open source clients. The user
should be assumed to be responsible.

Are you saying that users who use open source clients are assumed to be
responsible? (and because of that pidgin should have a lousy SSL security
implementation - because the user knows what he is doing)?

regards,

skyper



On Sun, Sep 22, 2013 at 11:39 PM, David Woolley
for...@david-woolley.me.ukwrote:

 On 22/09/13 21:26, skyper wrote:


 1. Which ROOT CA storage does pidgin use to authenticate a server side
 SSL certificate?


 See ./configure --help.  At a quick scan, it looks like it uses its own
 set of root certificates by default.  The default will depend on the OS, at
 least to some extent.  On Debian, it looks like the default is
 /usr/share/purple/ca-certs.

 If you didn't compile it yourself, the choices made by the packager may
 differ from the build system defaults.



 2. How can I configure pidgin to use one (and just one; exclusive) ROOT
 CA storage (or single certificate) and ignore all other system-wide root
 certs without having to recompile the source?


 On that reading.  If it has been compiled to use its own certificates,
 delete the other certificates.  Again, on the above reading, this will be a
 global change for all libpurple clients. If it has been compiled to use a
 system directory, your caveat cannot be met.



 3. How can I harden pidgin to fail connecting to the jabber server if
 SSL trust can not be established? I do not want to see any warning that
 the SSL cert can not be authenticated or the user being asked if he
 trusts the certificate manually.


 That goes against the general philosophy of open source clients, that the
 user should be assumed to be responsible.  My guess is that this not only
 requires recompiling, but also requires source code changes.

 Please note I'm not an expert on this.  I'm just going on a very quick
 scan of the configure script, and the general design philosophy of open
 source client software.


 __**_
 Support@pidgin.im mailing list
 Want to unsubscribe?  Use this link:
 http://pidgin.im/cgi-bin/**mailman/listinfo/supporthttp://pidgin.im/cgi-bin/mailman/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ethan Blanton]

Ralf Skyper Kaiser spake unto us the following wisdom:
 can you clarify this quote from you please:
 
 That goes against the general philosophy of open source clients. The user
 should be assumed to be responsible.
 
 Are you saying that users who use open source clients are assumed to be
 responsible? (and because of that pidgin should have a lousy SSL security
 implementation - because the user knows what he is doing)?

Note that David is not a Pidgin developer, and this opinion is his
own.  It is either a common attitude for Open Source software or a
common misconception regarding open source software, depending on your
perspective.  I view it as the latter.  There's no philosophy of
open source that says it has to suck in case the user wants it to.

That said, in this particular instance, we do not have a
straightforward option for accomplishing what you're asking for, and I
doubt we will soon provide one.  It is unfortunately quite common for
users to *need* to accept certificates with untrusted chains,
mismatched domains, expired signatures, etc.  We do not currently
provide an option for default disposition (either to confirm or
reject) of such a situation, we require the user to handle it
manually.

Ethan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ralf Skyper Kaiser]

HI Ethan,

thanks for your comments. I've summarized some SSL/TLS Security concerns:

https://thc.org/ssl

and also created a video for those who are non-technical:

http://youtu.be/F3BMA3IuvYs

I made a list of features under section 6.4 that would make pidgin secure.
In summary:

For Jitsi/Pidgin/Jabber this would mean:

   1. Do not allow non-private chats
   2. Do not allow clear-text (non-SSL) connections
   3. Accept self-signed certificates but once accepted/stored do not allow
   certificate to change (even if new certificate is a Verisign signed
   certificate).
   4. Feature to select CAfile storage location
   5. Force client to disable logging
   6. Inform server that user is using lockdown (so that server can reject
   all clients which do not).
   7. Once lockdown option is enabled the user should not be able to change
   any of the above options until lockdown is disabled again (e.g. gray out
   the option). Disconnect when lockdown option changes and reconnect to all
   servers.


The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a
different (and exclusive) CA location.

It is not a big change and would open up Pigdin to a much larger user base.

regards,

Ralf






On Mon, Oct 14, 2013 at 3:47 PM, Ethan Blanton e...@pidgin.im wrote:

 Ralf Skyper Kaiser spake unto us the following wisdom:
  can you clarify this quote from you please:
 
  That goes against the general philosophy of open source clients. The
 user
  should be assumed to be responsible.
 
  Are you saying that users who use open source clients are assumed to be
  responsible? (and because of that pidgin should have a lousy SSL security
  implementation - because the user knows what he is doing)?

 Note that David is not a Pidgin developer, and this opinion is his
 own.  It is either a common attitude for Open Source software or a
 common misconception regarding open source software, depending on your
 perspective.  I view it as the latter.  There's no philosophy of
 open source that says it has to suck in case the user wants it to.

 That said, in this particular instance, we do not have a
 straightforward option for accomplishing what you're asking for, and I
 doubt we will soon provide one.  It is unfortunately quite common for
 users to *need* to accept certificates with untrusted chains,
 mismatched domains, expired signatures, etc.  We do not currently
 provide an option for default disposition (either to confirm or
 reject) of such a situation, we require the user to handle it
 manually.

 Ethan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[David Woolley]

On 14/10/13 15:39, Ralf Skyper Kaiser wrote:


can you clarify this quote from you please:

That goes against the general philosophy of open source clients. The
user should be assumed to be responsible.

Are you saying that users who use open source clients are assumed to be
responsible? (and because of that pidgin should have a lousy SSL
security implementation - because the user knows what he is doing)?


Enforcing local management policy tends to be a low priority in open 
source software.  In the case of certificates, as long as the user is 
told that there is a problem with the certificate, it is generally 
assumed that any choice to ignore the warning is an informed decision. 
Freedom tends to include the freedom to ignore warnings.


Windows, although far from open source, tends to take a similar position 
by default, but does provide features like group policies to allow a 
management lock down. Windows SSL security implementation is also lousy, 
in your terms, because:


- most people who use it think that an https URL is all that is needed 
for security and have no understanding of the need for authentication;


- it enables all sorts of weird CAs with low authentication thresholds, 
along with the class 3 certificates - any one of which will let you in 
without a warning.


Incidentally, I don't know any easy way of giving standard Windows 
applications selective access to root certificates, without giving all 
applications the same restriction.


As a specific example of an area where Pidgin doesn't comply with 
management lock down wants is that every few months people ask how to 
disable all but one service, to which the standard answer, is you can 
disable protocols by removing the plugins, but the end user can just 
re-install them, so the correct solution is block at the firewall.  Of 
course, many people asking for this would want Facebook and Google 
blocked, but are using private XMPP servers, so share a common protocol.


As Ethan says, I'm not a Pidgin developer (my programming work with open 
source is in a different area), but I don't notice much support for 
management lock downs anywhere in Pidgin.



___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[David Woolley]

The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a
different (and exclusive) CA location.



As noted in my original reply, that already exists if you build from 
source - the decision is a compile time one.  If you use a package, the 
packager will generally select the option that makes the software 
easiest to use and maintain out of the box, which means that, if the OS 
supports a compatible certificate store mechanism, the packager will 
select that, so that it will work out of the box, and certificates will 
get updated as part of the OS update process.


If there isn't such a mechanism, it will install Pidgin's standard set 
of certificates in a directory private to libpurple, so that the user 
doesn't have to hunt down certificates before they use it.


At least from a quick glance, you can tell it to use a system 
certificate store, when you build it, but point that at a directory that 
you populate with certificates, rather than the standard OS certificate 
store.


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ethan Blanton]

Ralf Skyper Kaiser spake unto us the following wisdom:
 I made a list of features under section 6.4 that would make pidgin secure.
 In summary:

So ... we already implement a large portion of this list, either
explicitly or implicitly.  To wit:

 For Jitsi/Pidgin/Jabber this would mean:
 
1. Do not allow non-private chats

I don't know what this means.

2. Do not allow clear-text (non-SSL) connections

This is already available, as a per-account option.  A global option
could be added, but that is not substantially more user-friendly or
secure in any practical sense.

3. Accept self-signed certificates but once accepted/stored do not allow
certificate to change (even if new certificate is a Verisign signed
certificate).

This is not something we currently support, but I generally think it's
a good idea across the board.  I doubt we will implement it any time
soon, but I am pretty sure we would accept a well-written patch that
notified of certificate changes.

4. Feature to select CAfile storage location

This is already provided, as a compile-time option.

5. Force client to disable logging

This is not an option, but can easily be achieved by marking
~/.purple/logs unwriteable by the user.

6. Inform server that user is using lockdown (so that server can reject
all clients which do not).

This is not useful, as a client can readily lie.

7. Once lockdown option is enabled the user should not be able to change
any of the above options until lockdown is disabled again (e.g. gray out
the option). Disconnect when lockdown option changes and reconnect to all
servers.

I don't see what this buys.  We're unlikely to implement it.

 
 The BIGGEST BANG FOR THE BUCK would be 4.: Allow the user to specific a
 different (and exclusive) CA location.

Again, we already support this, so I guess our buck is already bangin'.

 It is not a big change and would open up Pigdin to a much larger user base.

This is a disingenuous and misplaced statement.  I assume you're
trying to bribe egos.  However, a) Pidgin is already used by many
millions of users, b) the much larger user base is a small fraction
of those millions consisting of (for example) certain financial
companies, a small number of privacy-concerned tech-savvy individuals,
etc., and c) we don't care how many people use Pidgin, anyway.  If you
can convince us something is a good idea, we'll either do it or accept
a patch for it.  If you can't, we don't care if the Pope, the Dalai
Lama, and Captain Reynolds got together and asked for it.

Ethan


signature.asc
Description: Digital signature
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ethan Blanton]

David Woolley spake unto us the following wisdom:
 Windows, although far from open source, tends to take a similar
 position by default, but does provide features like group policies
 to allow a management lock down. Windows SSL security implementation
 is also lousy, in your terms, because:

Windows is not a good example of ... basically anything.

 As a specific example of an area where Pidgin doesn't comply with
 management lock down wants is that every few months people ask how
 to disable all but one service, to which the standard answer, is you
 can disable protocols by removing the plugins, but the end user can
 just re-install them, so the correct solution is block at the
 firewall.  Of course, many people asking for this would want
 Facebook and Google blocked, but are using private XMPP servers, so
 share a common protocol.

This is not an accurate characterization.  We get people asking how to
disable all but one service *using the project-provided Windows
binaries*, and we state that there is no such way.  A user can readily
compile Pidgin without plugin loading and include a specific subset of
protocol plugins at compile time and achieve just this.  Just ... not
some clueless Windows sysadmin.

The point here, and the point for many such features, is that the
burden of supporting the option is larger than the perceived benefit,
from our point of view.  In the case of locking down protocols, the
primary concern I see is that, if you allow loadable plugins at all,
it seems likely that the user can find some way to defeat whatever
trivial machanism you put in place with a mediocum of effort.  A
nontrivial mechanism is a significant endeavor.

Ethan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[David Woolley]

On 14/10/13 17:33, Ralf Skyper Kaiser wrote:


I agree, 1 of the 7 Security features is already possible with pidgin
but requires source code recompilation. That's does not fly for most
users (especially the windows users).


As far as I know, the Windows build is unable to use the system 
certificate store, so already uses one private to libpurple, but 
pre-populates it.  You could simply clear it out.  It is only on modern 
Linux systems where it is likely to share a certificate store, and those 
are the ones where compiling from source is likely to be easiest.  (A 
packager could, fairly easily, point the certificate store at a symlink, 
which defaults to the system store, in those cases.)


It looks like Debian also uses a private directory for the certificates 
(/usr/share/purple/ca-certs/), and doesn't even install all that come 
with Pidgin.




Pidgin should be secure by default or - if Pidgin insists that it has to
be insecure by default - at least the possibility for the user to use it
securely. Without having to recompile from source (and cross platform).


You just have to look at the typical question on this list to realise 
that a secure by default Pidgin would be unusable to a large number of 
Pidgin users - if you cannot make a usable support request, you are 
unlikely to understand how to source and install certificates securely. 
 There tends to be high support costs in making mass market software 
secure by default.  (As I already noted, Windows seems to let almost 
every Tom, Dick or Harry to act as CAs by default, because starting with 
only class 3 certificates would cause too many support problems.)


If anything, making it secure by default, if it doesn't scare off new 
users completely, is likely to result in lots of cook book solutions on 
how to get it to trust certificates without going through the proper 
processes to verify those certificates, thus teaching people bad 
security practices.


If Windows set all but class 3 CAs to disabled by default, I suspect the 
standard internet cook book solution would be simply to go into the 
certificate manager and enable them, whenever you got blocked.


Whist making the directory a run time parameter would, probably, be a 
small change, you would then have to lock down the configuration file.


Having to explicitly add trusted certificates won't fly with most end users.



___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ralf Skyper Kaiser]

Hi,

So ... we already implement a large portion of this list, either

 explicitly or implicitly.  To wit:

  For Jitsi/Pidgin/Jabber this would mean:
 
 1. Do not allow non-private chats

 I don't know what this means.


...if OTR plugin is available then do not allow non-encrypted private
messages.

4. Feature to select CAfile storage location

 This is already provided, as a compile-time option.


This is not feasible to the average user. (point taken, developers know how
to use pidgin securely. everyone else should go to hell?)




 5. Force client to disable logging

 This is not an option, but can easily be achieved by marking
 ~/.purple/logs unwriteable by the user.


Option should be available cross-platform and without OS specific hacks.


 6. Inform server that user is using lockdown (so that server can
 reject
 all clients which do not).

 This is not useful, as a client can readily lie.


This is not the point. The client can also circumvent your no-logging idea
by putting up a camera and filming his screen.

The point is that it takes reasonable effort and prevents _accidental_
client misconfiguration.



 7. Once lockdown option is enabled the user should not be able to
 change
 any of the above options until lockdown is disabled again (e.g. gray
 out
 the option). Disconnect when lockdown option changes and reconnect to
 all
 servers.

 I don't see what this buys.  We're unlikely to implement it.


Prevents accidental misconfiguration by the user. A server rule could
create a rule to only let clients connect that are in lockdown. This would
ensure against these accidental misconfigurations:

1. User has logging disabled
2. User is authenticating against server supplied/server-trusted cert (and
not one of the 600+ CA's out there)
3. User can not send unencrypted private messages
etcetcetc.

It prevents accidental client misconfiguration which form the majority of
all security problems.

This is a disingenuous and misplaced statement.  I assume you're

 trying to bribe egos.  However, a) Pidgin is already used by many
 millions of users, b) the much larger user base is a small fraction
 of those millions consisting of (for example) certain financial
 companies, a small number of privacy-concerned tech-savvy individuals,
 etc.


I think there is a use case for such a feature. There is currently no easy
to use and secure IM client on the market.

History (last 2-3 years, and recent PRISM leaks) have shown that
governments (and I'm not just talking about the US here) are intercepting
SSL traffic on a massive scale (see the DigiNotar-Iran incident, The
Blackberry-Etisalar incident, the PRISM case, ...etc etc etc).

This has been made possible because of lax security implementation - not
just in pidgin but across the board.

Firefox and Chrome are now on the forefront for implementing stricter SSL
security (including certificate pinning, HSTS and exclusive CA locations).

David: Saying that this is not required reminds me of a discussion in the
80s when the car manufactures said that Airbags are not required (That
cars have a break and that people should drive responsibly. Only a small
ruthless-driving group of people would benefit.).

regards,

Ralf
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Brian Morrison]

On Mon, 14 Oct 2013 19:25:21 +0100
Ralf Skyper Kaiser wrote:

  1. Do not allow non-private chats  
 
  I don't know what this means.
   
 
 ...if OTR plugin is available then do not allow non-encrypted private
 messages.

This can be set on a per-contact basis for those who use OTR.

-- 

Brian Morrison

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ralf Skyper Kaiser]

Brian,

yes, correct. and It's a good feature to have.

Yet we see users sending unencrypted messages even when they think they are
using OTR with private message encryption (yes, users are sometimes stupid).

An option that use encryption by default (which can be disabled by the
user) provides better security at no cost to usability. So why not do it?

regards,

Ralf



On Mon, Oct 14, 2013 at 7:54 PM, Brian Morrison b...@fenrir.org.uk wrote:

 On Mon, 14 Oct 2013 19:25:21 +0100
 Ralf Skyper Kaiser wrote:

   1. Do not allow non-private chats
  
   I don't know what this means.
  
 
  ...if OTR plugin is available then do not allow non-encrypted private
  messages.

 This can be set on a per-contact basis for those who use OTR.

 --

 Brian Morrison

 ___
 Support@pidgin.im mailing list
 Want to unsubscribe?  Use this link:
 http://pidgin.im/cgi-bin/mailman/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL security concern

[Ethan Blanton]

Ralf Skyper Kaiser spake unto us the following wisdom:
  1. Do not allow non-private chats
 
  I don't know what this means.

 ...if OTR plugin is available then do not allow non-encrypted private
 messages.

Oh, OTR.  This is a problem for the OTR plugin.  We started
discussions wit the OTR people to bring it into Pidgin proper, but
they disappeared and it has never happened.  Until it does, it's not
something we can do anything about.

 4. Feature to select CAfile storage location
 
  This is already provided, as a compile-time option.
 
 This is not feasible to the average user. (point taken, developers know how
 to use pidgin securely. everyone else should go to hell?)

That's not what I said.

So ... you started with a list of demands with no justification, you
apparently ignored or disregarded existing functionality, and as we
attempt to refine the situation you resort to ego-bribery and reductio
ad absurdum.  It makes it hard to take you seriously.  You may have
some good points, but they're hard to find past the noise.

So, if we assume charitably that your cat sat on the keyboard and made
you look like a jerk, your response before that point probably said I
would like a runtime option, because while I want the store to be
exclusive and immutable, I want the store to be non-exclusive and
mutable.  At which point I say ... what are you trying to solve?
Give me a use case and we can talk about options.  I don't see any
reason why putting certificates in the predefined store is inferior to
changing the location of the store at runtime, and since you seem to
be concerned about users accidentally changing options, I'd say the
former is preferable to the latter.  Justify.

  5. Force client to disable logging
 
  This is not an option, but can easily be achieved by marking
  ~/.purple/logs unwriteable by the user.
 
 Option should be available cross-platform and without OS specific hacks.

That's cross-platform and not OS-specific, you can even do the same
thing on Windows ... assuming you're using Windows and still
pretending to be concerned about security (?).  I agree that it's
inelegant.  However, I don't really get what you're trying to
accomplish, if a simple option to turn off logging is not sufficient,
and you want an option to turn off the option that turns off logging.
Justify.


  6. Inform server that user is using lockdown (so that server can
  reject
  all clients which do not).
 
  This is not useful, as a client can readily lie.
 
 This is not the point. The client can also circumvent your no-logging idea
 by putting up a camera and filming his screen.
 
 The point is that it takes reasonable effort and prevents _accidental_
 client misconfiguration.

I ... still don't get this.

  7. Once lockdown option is enabled the user should not be able to
 change any of the above options until lockdown is disabled again
 (e.g. gray out the option). Disconnect when lockdown option
 changes and reconnect to all servers.
 
  I don't see what this buys.  We're unlikely to implement it.
 
 Prevents accidental misconfiguration by the user. A server rule could
 create a rule to only let clients connect that are in lockdown. This would
 ensure against these accidental misconfigurations:
 
 1. User has logging disabled
 2. User is authenticating against server supplied/server-trusted cert (and
 not one of the 600+ CA's out there)
 3. User can not send unencrypted private messages
 etcetcetc.

So maybe you're just saying something very confusing here.  You don't
want an option that locks down the preferences, you want an option
that automatically sets a variety of security preferences to known
good settings?  Your initial description sounded like you wanted an
option to disable further configuration tweaks, regardless of what the
current configuration is.

If your assertion is, instead, that there should be a secure
everything global option, then I'd say this is a reasonable idea, but
your specific implementation is not great.  I'd be more inclined to
have a dropdown box in a security tab with a couple of options.
Maybe:

* Secure all communications, untrusted local storage
* Secure all communications, trusted local storage
* Require encrypted server connections
* Allow insecure connections
* Custom settings

The first locks down everything you've asked for, the second does the
same but allows logging, the third enforces Use SSL/TLS Encryption
for every connection but makes no other security-related demands, the
fourth enforces Use SSL/TLS if available, and the final setting lets
each preference do its own thing.

My pushback on this is that the complexity of implementation is pretty
high, and I don't really think the benefit is that large.  I wouldn't
implement it, but if somebody handed it to me and it was good, I would
probably take it.

  This is a disingenuous and misplaced statement.  I assume you're
  trying to bribe egos.  However

Pidgin 2.10.7 Windows: yahoo / ssl error

[Vlad Ion]

Dear support team,

Over the last 2 hours, I started having the following error on both
computers in my house. I tried to reboot the computers and reinstall
pidgin, though I have no luck and I get the same error.
Any help would be greatly appreciated.

(03:07:15) *connection:* Connecting. gc = 04CA35D0
(03:07:15) *util:* requesting to fetch a URL
(03:07:15) *dnsquery:* Performing DNS lookup for vcs1.msg.yahoo.com
(03:07:15) *dnsquery:* IP resolved for vcs1.msg.yahoo.com
(03:07:15) *proxy:* Attempting connection to 66.196.120.43
(03:07:15) *proxy:* Connecting to vcs1.msg.yahoo.com:80 with no proxy
(03:07:15) *proxy:* Connection in progress
(03:07:15) *proxy:* Connecting to vcs1.msg.yahoo.com:80.
(03:07:15) *proxy:* Connected to vcs1.msg.yahoo.com:80.
(03:07:15) *util:* request constructed
(03:07:16) *util:* Response headers: 'HTTP/1.1 200 OK
Content-Length: 46
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0, must-revalidate
Expires: Sun, 10 Jun 2007 12:01:01 GMT

'
(03:07:16) *util:* parsed 46
(03:07:16) *yahoo:* Got COLO Capacity: 1
(03:07:16) *yahoo:* Got CS IP address: 66.196.121.24
(03:07:16) *dnsquery:* Performing DNS lookup for 66.196.121.24
(03:07:16) *dnsquery:* IP resolved for 66.196.121.24
(03:07:16) *proxy:* Attempting connection to 66.196.121.24
(03:07:16) *proxy:* Connecting to 66.196.121.24:5050 with no proxy
(03:07:16) *proxy:* Connection in progress
(03:07:16) *proxy:* Connecting to 66.196.121.24:5050.
(03:07:16) *proxy:* Connected to 66.196.121.24:5050.
(03:07:16) *yahoo:* 80 bytes to read, rxlen is 100
(03:07:16) *yahoo:* Yahoo Service: 0x57 Status: 1
(03:07:16) *yahoo:* Authentication: In yahoo_auth16_stage1
(03:07:16) *util:* requesting to fetch a URL
(03:07:16) *dnsquery:* Performing DNS lookup for login.yahoo.com
(03:07:16) *dnsquery:* IP resolved for login.yahoo.com
(03:07:16) *proxy:* Attempting connection to 188.125.82.242
(03:07:16) *proxy:* Connecting to login.yahoo.com:443 with no proxy
(03:07:16) *proxy:* Connection in progress
(03:07:16) *proxy:* Connecting to login.yahoo.com:443.
(03:07:16) *proxy:* Connected to login.yahoo.com:443.
(03:07:16) *nss:* subject=CN=login.yahoo.com,O=Yahoo!
Inc.,L=Sunnyvale,ST=CA,C=US issuer=CN=DigiCert High Assurance CA-3,OU=
www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *nss:* subject=CN=DigiCert High Assurance CA-3,OU=
www.digicert.com,O=DigiCert Inc,C=US issuer=CN=DigiCert High Assurance EV
Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *nss:* partial certificate chain
(03:07:16) *certificate/x509/tls_cached:* Starting verify for
login.yahoo.com
(03:07:16) *certificate/x509/tls_cached:* Checking for cached cert...
(03:07:16) *certificate/x509/tls_cached:* ...Found cached cert
(03:07:16) *nss/x509:* Loading certificate from
C:\Users\root\AppData\Roaming\.purple\certificates\x509\tls_peers\
login.yahoo.com
(03:07:16) *certificate/x509/tls_cached:* Peer cert did NOT match cached
(03:07:16) *certificate:* Checking signature chain for uid=CN=
login.yahoo.com,O=Yahoo! Inc.,L=Sunnyvale,ST=CA,C=US
(03:07:16) *certificate:* ...Good signature by CN=DigiCert High Assurance
CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *certificate:* Chain is VALID
(03:07:16) *certificate/x509/tls_cached:* Checking for a CA with
DN=CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
Inc,C=US
(03:07:16) *certificate/x509/tls_cached:* Also checking for a CA with
DN=CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *certificate:* Failed to verify certificate for login.yahoo.com
(03:07:16) *yahoo:* Authentication: In yahoo_auth16_stage1_cb
(03:07:16) *yahoo:* Login Failed, unable to retrieve login url: Unable to
connect to login.yahoo.com: SSL peer presented an invalid certificate
(03:07:16) *connection:* Connection error on 04CA35D0 (reason: 0
description: Unable to connect to login.yahoo.com: SSL peer presented an
invalid certificate)
(03:07:16) *account:* Disconnecting account vlad_thoth (02581990)
(03:07:16) *connection:* Disconnecting connection 04CA35D0
(03:07:16) *connection:* Destroying connection 04CA35D0

Cheers,
Vlad
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL security concern

[skyper]

Hi,

1. Which ROOT CA storage does pidgin use to authenticate a server side SSL
certificate?

2. How can I configure pidgin to use one (and just one; exclusive) ROOT CA
storage (or single certificate) and ignore all other system-wide root certs
without having to recompile the source?

3. How can I harden pidgin to fail connecting to the jabber server if SSL
trust can not be established? I do not want to see any warning that the SSL
cert can not be authenticated or the user being asked if he trusts the
certificate manually.

thanks  regards,

skyper
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

tor/privacy (socks5) option giving ssl error

[Ileana]

Hello,

Pidgin 2.10.6 (libpurple 2.10.6)
4cfe697ea3ae39a4fb3dad8e3ed1c70855901095

I am trying to connect to Tor using Pidgin.  I am having a connection
issue.  Of the three proxy options socks4, socks5, and
tor/privacy(socks5), it seems I should be using tor/privacy(socks5). 

This issue has come up on some Tor lists.

Can someone explain exactly what is the difference between Tor/Privacy
Socks5, and just Socks5, and whether you believe Pidgin to preserve the
anonymity?

And also, my question as to why on my system, socks 5 works, but
Tor/Privacy(Socks5) results in SSL connection error almost
immediately (i.e. I don't think it is even making any network activity,
it just immediately displays the SSL connect error.  Setting Socks5
works fine.

Thanks

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Daniel Atallah]

On Tue, Apr 2, 2013 at 7:08 PM, Ileana ile...@fairieunderground.info wrote:

 Hello,

 Pidgin 2.10.6 (libpurple 2.10.6)
 4cfe697ea3ae39a4fb3dad8e3ed1c70855901095

 I am trying to connect to Tor using Pidgin.  I am having a connection
 issue.  Of the three proxy options socks4, socks5, and
 tor/privacy(socks5), it seems I should be using tor/privacy(socks5).

 This issue has come up on some Tor lists.

 Can someone explain exactly what is the difference between Tor/Privacy
 Socks5, and just Socks5, and whether you believe Pidgin to preserve the
 anonymity?

The difference is that the Tor/Privacy proxy will disable various
other pieces of functionality (e.g. DNS queries) instead of just
proxying actual connections through a proxy.  If you have pidgin
configured appropriately (e.g. disabling UPnP, etc) we're not aware of
any leakage of information to someone listening between you and the
proxy endpoint.

 And also, my question as to why on my system, socks 5 works, but
 Tor/Privacy(Socks5) results in SSL connection error almost
 immediately (i.e. I don't think it is even making any network activity,
 it just immediately displays the SSL connect error.  Setting Socks5
 works fine.

You didn't provide any context to the specific issue, but the likely
reason for this particular error is that the Tor/Privacy Socks5 mode
will prevent DNS queries from occurring and this probably has the
effect of preventing you from determining the correct server to
connect to (e.g. a DNS SRV lookup is necessary to connect to the
appropriate XMPP server for a number of domains unless you specify a
Connect Server manually).

-D

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Ileana]

 
 You didn't provide any context to the specific issue, but the likely
 reason for this particular error is that the Tor/Privacy Socks5 mode
 will prevent DNS queries from occurring and this probably has the
 effect of preventing you from determining the correct server to
 connect to (e.g. a DNS SRV lookup is necessary to connect to the
 appropriate XMPP server for a number of domains unless you specify a
 Connect Server manually).
 

Daniel,

Sorry for the lack of context.  I am using tor and pidgin 
Pidgin 2.10.6 (libpurple 2.10.6), on linux.

I am connecting to a normal irc server.

It works with socks 5, it doesn't work, and immediately fails, with
tor/privacy socks5 with error ssl connection failed.

When I try to connect to an IRC tor hidden service
address (blahblahblah.onion) I get: 
Unable to connect: Aborting DNS lookup in Tor Proxy mode.

When I try to connect to a regular IRC address/hostname, I get SSL
Connection Failed.

Both work when I select socks5.  Neither works with tor/privacy(socks5).

Are you suggesting I should be putting the ip addresses in directly for
these hostnames?  That isn't even possible in the case of the hidden
service addresses.  And the hidden service address seems to resolve and
work fine with the socks5 setting.

I don't see how this can't be some kind of bug?  Aren't the dns requests
supposed to go through the proxy?  Do you need to add a check box (do
dns lookup at proxy end), as appears in the main proxy config screen,
for each individual setting?

I am concerned some users may be using pidgin incorrectly.  But you
might be right that it is a dns problem, and it is attempting the
lookup locally.  In the case of the TAILS OS, all dns is transparently
routed over the tor, so local dns gets resolved, and that would work.
But for most privacy users, local dns queeries are a big no-no, yet
they need to be done, and hence are done via socks 5 at proxy end.

What is the workaround now? Use socks4 and make the changes? Is it
sufficient to turn off unpp and disable uneccessary plugins, or is the
tor/privacy setting doing stuff in the code that an end user can't set
manually?  I.E. If I just use socks5 and disable plugins, is that
enough?  Does it do anything versus cctp/ping/dcc etc?

Thanks


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Ileana]

From my basic understanding, a tor/privacy setting should ensure:

*no local dns lookups (perhaps as an options checkbox)
socks4 automatically does lookup at end...there is no option.
socks5 you have option for local or remote dns in the spec.  Most tor
users want remote, except in the case of TAILS a user might handle the
dns queeries locally(and then resolving them through for instance tor's
dns port).  I think the same side is to do them remotely.

*real ip address never gets sent out

*no other system information gets sent out(kernel version, uname,
os, etc)

*nothing that seems to be a unique identifier gets sent out upon
connect/reconnect. (i.e. ssl session ids, user agents/version, etc).

*timestamps all converted to utc

*any functionality such as dcc where there is a direct connection to
the other client should either be disabled or also insure real ip is
not leaked.

I can't think of anything else off the top of my head, but I may have
missed something.

If you are a developer and can point me to a link to the code that
handles the proxy settings, I would take a further look.

Thanks

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Daniel Atallah]

On Tue, Apr 2, 2013 at 8:55 PM, Ileana ile...@fairieunderground.info wrote:

 You didn't provide any context to the specific issue, but the likely
 reason for this particular error is that the Tor/Privacy Socks5 mode
 will prevent DNS queries from occurring and this probably has the
 effect of preventing you from determining the correct server to
 connect to (e.g. a DNS SRV lookup is necessary to connect to the
 appropriate XMPP server for a number of domains unless you specify a
 Connect Server manually).


 Daniel,

 Sorry for the lack of context.  I am using tor and pidgin
 Pidgin 2.10.6 (libpurple 2.10.6), on linux.

 I am connecting to a normal irc server.

 It works with socks 5, it doesn't work, and immediately fails, with
 tor/privacy socks5 with error ssl connection failed.

 When I try to connect to an IRC tor hidden service
 address (blahblahblah.onion) I get:
 Unable to connect: Aborting DNS lookup in Tor Proxy mode.

 When I try to connect to a regular IRC address/hostname, I get SSL
 Connection Failed.

You'll need to provide more details - a sanitized debug log
(Help-Debug Window) from when it tries to connect should help.


 Both work when I select socks5.  Neither works with tor/privacy(socks5).

 Are you suggesting I should be putting the ip addresses in directly for
 these hostnames?  That isn't even possible in the case of the hidden
 service addresses.  And the hidden service address seems to resolve and
 work fine with the socks5 setting.

No, that's not necessarily what I'm suggesting.

 I don't see how this can't be some kind of bug?  Aren't the dns requests
 supposed to go through the proxy?  Do you need to add a check box (do
 dns lookup at proxy end), as appears in the main proxy config screen,
 for each individual setting?

Again, it's hard to say without more information.  It's not possible
to do all DNS requests through the proxy - you can pass a hostname to
the proxy and have it resolve it, but e.g. a SRV request can't be done
through a proxy.

No, that checkbox is globally applied, it doesn't need to be more
granularly applied.

 I am concerned some users may be using pidgin incorrectly.  But you
 might be right that it is a dns problem, and it is attempting the
 lookup locally.  In the case of the TAILS OS, all dns is transparently
 routed over the tor, so local dns gets resolved, and that would work.
 But for most privacy users, local dns queeries are a big no-no, yet
 they need to be done, and hence are done via socks 5 at proxy end.

 What is the workaround now? Use socks4 and make the changes? Is it
 sufficient to turn off unpp and disable uneccessary plugins, or is the
 tor/privacy setting doing stuff in the code that an end user can't set
 manually?  I.E. If I just use socks5 and disable plugins, is that
 enough?  Does it do anything versus cctp/ping/dcc etc?

TAILS is pretty much irrelevant from the application perspective.
I'm going to hold off answering the rest because we don't know what
the problem is.

-D

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Daniel Atallah]

On Tue, Apr 2, 2013 at 9:11 PM, Ileana ile...@fairieunderground.info wrote:
 From my basic understanding, a tor/privacy setting should ensure:

All of my answers below apply to stock Pidgin when you select
Tor/Privacy in the proxy settings- any third party plugins could
change the behavior.

Some effort has been put into making XMPP safe from a privacy
perspective; other protocols have issues - good patches are always
welcome.

 *no local dns lookups (perhaps as an options checkbox)
 socks4 automatically does lookup at end...there is no option.
 socks5 you have option for local or remote dns in the spec.  Most tor
 users want remote, except in the case of TAILS a user might handle the
 dns queeries locally(and then resolving them through for instance tor's
 dns port).  I think the same side is to do them remotely.

The libpurple DNS functionality will be blocked - anything that can be
done through the proxy will be done, otherwise the functionality will
fail (for things using the libpurple DNS API).

It's possible that protocols like gadu-gadu or sametime, which use
external libraries to implement the protoco,l would make DNS requests
without using the libpurple API.

It looks like Bonjour/Link-Local accounts will send stuff out on your
local network, because that's how the protocol works.

 *real ip address never gets sent out

This should be the case for XMPP.

If libpurple/Pidgin is configured appropriately, it won't know what
your external IP address is.


 *no other system information gets sent out(kernel version, uname,
 os, etc)

Your IRC account default settings contain some information from your
OS user account, but you're free to change them.

See https://developer.pidgin.im/ticket/15295

There may be other issues for other protocols


 *nothing that seems to be a unique identifier gets sent out upon
 connect/reconnect. (i.e. ssl session ids, user agents/version, etc).

Of course unique things will be sent out - you're connecting to a IM
account and your account name will be sent out (and possibly your
password too depending on what you're connecting to).


 *timestamps all converted to utc

I'm not sure if there are places where your timezone or information
that can be used to deduce your timezone are sent out, but I don't
consider this sensitive.

 *any functionality such as dcc where there is a direct connection to
 the other client should either be disabled or also insure real ip is
 not leaked.

This wouldn't be a reasonable assumption to make for protocols other than XMPP.

 I can't think of anything else off the top of my head, but I may have
 missed something.

 If you are a developer and can point me to a link to the code that
 handles the proxy settings, I would take a further look.

libpurple/proxy.c

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Ileana]

On Tue, 2 Apr 2013 21:46:20 -0400
Daniel Atallah datal...@pidgin.im wrote:

 
  Daniel,
 
  Sorry for the lack of context.  I am using tor and pidgin
  Pidgin 2.10.6 (libpurple 2.10.6), on linux.
 
  I am connecting to a normal irc server.
 
  It works with socks 5, it doesn't work, and immediately fails, with
  tor/privacy socks5 with error ssl connection failed.
 
  When I try to connect to an IRC tor hidden service
  address (blahblahblah.onion) I get:
  Unable to connect: Aborting DNS lookup in Tor Proxy mode.
 
  When I try to connect to a regular IRC address/hostname, I get SSL
  Connection Failed.
 
 You'll need to provide more details - a sanitized debug log
 (Help-Debug Window) from when it tries to connect should help.
 

(21:49:24) account: Connecting to account foo44...@irc.oftc.net.
(21:49:24) connection: Connecting. gc = 0xb83c3868
(21:49:24) dnsquery: Performing DNS lookup for localhost
(21:49:24) dnsquery: Aborting DNS lookup in Tor Proxy mode.
(21:49:24) proxy: Connection attempt failed: Aborting DNS lookup in Tor Proxy 
mode.
(21:49:24) connection: Connection error on 0xb83c3868 (reason: 0 description: 
SSL Connection Failed)
(21:49:24) account: Disconnecting account foo44...@irc.oftc.net (0xb7c39428)
(21:49:24) connection: Disconnecting connection 0xb83c3868
(21:49:24) connection: Destroying connection 0xb83c3868
(21:49:28) autorecon: do_signon called
(21:49:28) autorecon: calling purple_account_connect

I don't understand this...it says it is doing dns lookup for localhost?

Ahh! I found it...I had localhost in the settings rather then
127.0.0.1.

When I set it to 127.0.0.1 for the proxy host, it works.  I see, it
cuts off all local dns requests, including looking at the host file.

I am not sure if this should be documented...most other applications
(firefox, thunderbird, etc) have the option to do some names locally,
in particular, localhost should usually work.  This may be considered a
minor bug?


 
 Again, it's hard to say without more information.  It's not possible
 to do all DNS requests through the proxy - you can pass a hostname to
 the proxy and have it resolve it, but e.g. a SRV request can't be done
 through a proxy.


 
 No, that checkbox is globally applied, it doesn't need to be more
 granularly applied.

Perhaps you are right.  And I am mixed up in my statements.  socks 4
you have the option local/remote dns.  socks4a seems to automatically
do remote, no option, but pidgin doesn't seem to do socks4a.  And socks5
again the option, but it seems the common setting is to do remote
lookup.  

 
  I am concerned some users may be using pidgin incorrectly.  But you
  might be right that it is a dns problem, and it is attempting the
  lookup locally.  In the case of the TAILS OS, all dns is
  transparently routed over the tor, so local dns gets resolved, and
  that would work. But for most privacy users, local dns queeries are
  a big no-no, yet they need to be done, and hence are done via socks
  5 at proxy end.
 
  What is the workaround now? Use socks4 and make the changes? Is it
  sufficient to turn off unpp and disable uneccessary plugins, or is
  the tor/privacy setting doing stuff in the code that an end user
  can't set manually?  I.E. If I just use socks5 and disable plugins,
  is that enough?  Does it do anything versus cctp/ping/dcc etc?
 
 TAILS is pretty much irrelevant from the application perspective.
 I'm going to hold off answering the rest because we don't know what
 the problem is.
 
OK...I see what you are saying.  I see how TAILS should be irrelevant
from the application end...up into the point the application itself is
sending out information that could deanoymize the client.  TAILS really
can't do anything about that, hence I like that pidgin is
compartmentalizing the problem by having this privacy setting.  I just
think it should be documented exactly what it is doing.

It seems your Tor/Privacy mode should keep the user, by any means
possible, from doing un-intentional loss of private information at the
application level.

Thanks for helping me resolve this, and your obvious work on this app,
which is really nice. I guess I will have to look at the code to see
exactly what is the difference from the socks5/torprivacy setting?  You
mentioned, obviously, it blocking DNS, and we see that here.  I am
wanting a full list of differences.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

[Ileana]

On Tue, 2 Apr 2013 22:36:51 -0400
Daniel Atallah datal...@pidgin.im wrote:

 On Tue, Apr 2, 2013 at 9:11 PM, Ileana
 ile...@fairieunderground.info wrote:
  From my basic understanding, a tor/privacy setting should ensure:
 
 All of my answers below apply to stock Pidgin when you select
 Tor/Privacy in the proxy settings- any third party plugins could
 change the behavior.
 
 Some effort has been put into making XMPP safe from a privacy
 perspective; other protocols have issues - good patches are always
 welcome.

Well thanks for the effort.
 
  *no local dns lookups (perhaps as an options checkbox)
  socks4 automatically does lookup at end...there is no option.
  socks5 you have option for local or remote dns in the spec.  Most
  tor users want remote, except in the case of TAILS a user might
  handle the dns queeries locally(and then resolving them through for
  instance tor's dns port).  I think the same side is to do them
  remotely.
 
 The libpurple DNS functionality will be blocked - anything that can be
 done through the proxy will be done, otherwise the functionality will
 fail (for things using the libpurple DNS API).
 
 It's possible that protocols like gadu-gadu or sametime, which use
 external libraries to implement the protoco,l would make DNS requests
 without using the libpurple API.
 
 It looks like Bonjour/Link-Local accounts will send stuff out on your
 local network, because that's how the protocol works.
 
  *real ip address never gets sent out
 
 This should be the case for XMPP.
 
 If libpurple/Pidgin is configured appropriately, it won't know what
 your external IP address is.
 
 
  *no other system information gets sent out(kernel version, uname,
  os, etc)
 
 Your IRC account default settings contain some information from your
 OS user account, but you're free to change them.
 
 See https://developer.pidgin.im/ticket/15295
 
 There may be other issues for other protocols
 
 
  *nothing that seems to be a unique identifier gets sent out upon
  connect/reconnect. (i.e. ssl session ids, user agents/version, etc).
 
 Of course unique things will be sent out - you're connecting to a IM
 account and your account name will be sent out (and possibly your
 password too depending on what you're connecting to).

Everyone disagrees about the User Agent issue and this has been a big
pain in the butt across applications from browsers to torrent to chat.
It seems XMPP/Pidgin does send out the timezone and pidgin
version/libpurple version. Seems like minor non-senstive stuff but it
does allow partitioning of the userspace.

 
 
  *timestamps all converted to utc
 
 I'm not sure if there are places where your timezone or information
 that can be used to deduce your timezone are sent out, but I don't
 consider this sensitive.
 
  *any functionality such as dcc where there is a direct connection to
  the other client should either be disabled or also insure real ip is
  not leaked.
 
 This wouldn't be a reasonable assumption to make for protocols other
 than XMPP.
 
  I can't think of anything else off the top of my head, but I may
  have missed something.
 
  If you are a developer and can point me to a link to the code that
  handles the proxy settings, I would take a further look.
 
 libpurple/proxy.c

Thanks for the info.  I will take a look at it.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Error requesting https://api.oscar.aol.com/aim/startOSCARSession: Unable to connect to api.oscar.aol.com: SSL Connection Failed

[Alonso, Shelley (NIH/NCI) [C]]

I downloaded the latest version of pigeon this morning and installed ona new 
laptop that has windows 7 OS. I get the following error when trying to connect:

Error requesting https://api.oscar.aol.com/aim/startOSCARSession: Unable to 
connect to api.oscar.aol.com: SSL Connection Failed

Your site says that if you get AOL SSL handshake message to install the latest 
version of pigeon, which I have just done. And searching your support site has 
not helped... I do not find any tickets for this issue.

It is pretty important that I get some sort of IM client working soon since I 
work remote and this is a main avenue of communication with my group. I really 
hate using AIM... I have been using pigeon for the last 4 years on my old 
laptop which is running windows xp ,and like it a lot better.

Thanks,
Shelley
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL

[Mark Doliner]

 On Sun, Sep 16, 2012 at 5:40 PM,  england1...@tormail.org wrote:
 Is there a way to connect with SSL with ICQ in pidgin?

In newer versions of Pidgin, edit the account, on the Advanced tab
leave all settings set to the default values except change Connection
security to Require encryption.  In this case Pidgin will bail out
upon login if it isn't able to establish an SSL/TLS connection for
something.

In older versions of Pidgin, if clientLogin is turned on then
authentication will always happen over SSL/TLS.  I don't remember the
specifics about whether IM and buddy list traffic will be encrypted...
I think it depends on the version of Pidgin you're using.  Newer
versions tend to request encryption for IM/buddy list when available,
but I think they're still willing to connect even if the server
doesn't allow an SSL/TLS connection.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL

[england1966]

Hi, can you tell me if I use 443 port in the 'advanced' tab in 'edit
account' that it will automatically make the connection through SSL?
Thanks.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL

[Daniel Atallah]

On Sun, Sep 16, 2012 at 12:46 PM,  england1...@tormail.org wrote:
 Hi, can you tell me if I use 443 port in the 'advanced' tab in 'edit
 account' that it will automatically make the connection through SSL?
 Thanks.

No, changing the port will not automatically make the connection use SSL.

-D

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL

[Daniel Atallah]

On Sun, Sep 16, 2012 at 5:40 PM,  england1...@tormail.org wrote:
 On Sun, Sep 16, 2012 at 12:46 PM,  england1...@tormail.org wrote:
 Hi, can you tell me if I use 443 port in the 'advanced' tab in 'edit
 account' that it will automatically make the connection through SSL?
 Thanks.

 No, changing the port will not automatically make the connection use SSL.

 -D


 Thanks. Is there a way to connect with SSL with ICQ in pidgin? Because I
 can not see an option to do it in 'edit account'. Thanks.

Please reply to the mailing list and not to me directly.
I don't know the answer to your question, but perhaps someone else does.

-D

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL confirguration

[england1966]

Hi, could you please tell me if I can in anyway configure SSL to work with
pidgin. There doesn't seem to be an option for ICQ.
Thanks in advance.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Error: SSL peer presented an invalid certificate | running on ARM-ubuntu-11.10

[Mark Doliner]

You could try to figure out why Pidgin thinks the certificate is
invalid by running with pidgin -d to show lots of debug output (I'm
a little surprised the error message you're seeing doesn't already say
why it's invalid).  The two most likely reasons I can think of are
either the clock on your ARM computer is wrong, or Pidgin still can't
find the CA certificates.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: XMPP - SSL Handshake Failed on 2.8.0

[Ethan Blanton]

Christy Ankrom spake unto us the following wisdom:
 I cannot connect to XMPP on version 2.8.0 - giving me error SSL handshake
 failed.  Searched support and cannot find documentation to help me out.
 Last tried and worked on 6/10/11.

Please include the contents of a debug log (Help | Debug Window) from
the connect.  You may redact usernames and hostnames from the log if
you like.

This is sometimes caused by servers which do not correctly support
SSL.  It can also be caused by a server with a bad or broken
certificate (although normally, in that case, you get an option to
temporarily accept the bad certificate).  Without a debug log, it is
hard to say what is going on here.

Ethan


signature.asc
Description: Digital signature
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Unable to connect to bos sever. ssl handshake failed

[Mark Doliner]

On Mon, Mar 28, 2011 at 8:40 AM, Felicia Marzan fmar...@nuskin.com wrote:
 Please advise how to fix this error listed in the subject line.

This is sometimes just a temporary problem.  Is this still happening?
Have you been able to connect successfully in the past using Pidgin?

--Mark

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Unable to connect to bos sever. ssl handshake failed

[Felicia Marzan]

Please advise how to fix this error listed in the subject line.

Thanks,
Felicia


Felicia Marzan
HR Office Manager


[nuskin_logo]
Phone: (801)345-2500
Fax: (801)345-2591
fmar...@nuskin.com


inline: image001.gif___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Unable to connect to bos sever. ssl handshake failed

[David Woolley]

Felicia Marzan wrote:

Please advise how to fix this error listed in the subject line.


This is an error associated with the AOL Oscar protocol and bos is 
actually BOS.


Probably the AOL machine failed to convince you that it was genuine, 
quite possibly because a firewall was blocking the communication.


You need to provide debug log information, although speaking with your 
IT department about their firewall might help.


What happens when you use the official AOL client?

What version of Pidgin and what OS type and version?

http://code.google.com/p/joscar/wiki/OscarConnections  explains BOS 
servers (Basic Online Services).  This seems to deal with coordinating 
your session after you have logged in, routing requests to more 
appropriate servers.




--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL Certificate Verification issues

[Don Keeney]

Recently I started getting SSL Certificate Verification issues on AIM, with 
Pidgin. The following would come up:
Accept certificate for bos.oscar.aol.com?

The certificate for bos.oscar.aol.com could not be validated.

The certificate has expired and should not be considered valid.  Check that 
your computer's date and time are accurate.


And it has buttons to view the certificate, or Reject or Accept it. No matter 
what happens, whether I click Accept or Reject, the next time I log in it comes 
up again. It's quite annoying and I'm not sure what to do. How am I supposed to 
be able to fix this?
  ___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Certificate Verification issues

[Brian Morrison]

On Thu, 24 Feb 2011 04:07:39 -0500
Don Keeney donn...@hotmail.com wrote:

 And it has buttons to view the certificate, or Reject or Accept it.
 No matter what happens, whether I click Accept or Reject, the next
 time I log in it comes up again. It's quite annoying and I'm not sure
 what to do. How am I supposed to be able to fix this?

Well it is AOL's job to do that, all that Pidgin is telling you is that
the certificate has expired, it seems to be a new cert and they have
managed to only make it valid for 2 days.

-- 

Brian Morrison

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Pidgin 2.7.7 - ICQ SSL connection still fails

[serz]

Hi all,

the problem with ICQ SSL connection was not fully solved. Today
morning I've made on my WXP(SP3) a completely new installation of
Pidgin 2.7.7 (=everything what I've found from older istalls, was
deleted before installation), but problem with ICQ persists, e.g.
Jabber works fine.
I'm sitting behind proxy/firewall so unsecured access is not
solution for me.
It's strange, that at home (on my desktop  2 laptops) with the same
settings (slogin.icq.com/5190/encrypted connection if
available/clientLogin) is Pidgin working without any troubles.
Enclosed You'll find a debug log. I hope that it could help to find
the solution.

BTW Paralel connection with an ancient Miranda 0.6.8 is successfull.
 

Regars
Marek M.



purple-debug.log
Description: Binary data
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin 2.7.7 - ICQ SSL connection still fails

[John Bailey]

On 11/24/2010 07:59 AM, s...@volny.cz wrote:
 Hi all,
 
 the problem with ICQ SSL connection was not fully solved. Today
 morning I've made on my WXP(SP3) a completely new installation of
 Pidgin 2.7.7 (=everything what I've found from older istalls, was
 deleted before installation), but problem with ICQ persists, e.g.
 Jabber works fine.
 I'm sitting behind proxy/firewall so unsecured access is not
 solution for me.

Unfortunately, unsecured access is the only option.  ICQ was recently split off
from the AIM servers.  Not all of the new ICQ servers support SSL.  The only
combinations of options that will work are:
  * clientLogin off and connection security set to Don't use encryption
  * clientLogin on and connection security set to Don't use encryption
  * clientLogin on and connection security set to Use encryption if available

The combination of clientLogin and Use encryption if available is the default
for new accounts and will work by using SSL where available and falling back to
unsecured connections where necessary.  We've been led to believe that
eventually all the new ICQ servers will support SSL just as the AIM servers
currently do.

John



signature.asc
Description: OpenPGP digital signature
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

MSN SSL problems again

[Zacknafain Do'Urden]

So what is it?  Has microsoft decided to make a play for propritary tech
or something?
After having fixed the MSN SSL cert already - it froze up my pigin only
too force me to restart, leading to a return of the now well loved omega
ssl certificate error.

I returned too the support wiki and re-downloaded the certificates in
the hope that maybe they had been updated again.

but still no success - is there more going on?
Thanks
TTT

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: MSN SSL problems again

[Brian Morrison]

On Wed, 24 Nov 2010 15:25:12 -0500
Zacknafain Do'Urden wildnz...@inexistentia.net wrote:

 but still no success - is there more going on?

Which version are you running, 2.7.7 or something earlier?

-- 

Brian Morrison

I am not young enough to know everything
  Oscar Wilde

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: MSN SSL problems again

[David Woolley]

Zacknafain Do'Urden wrote:

So what is it?  Has microsoft decided to make a play for propritary tech
or something?


In this case, it is probably a case of being reckless about Pidgin, 
etc., but, if you actually read the terms of use you agree to when you 
sign up to the MSN service, you will find that you agree not to use 
Pidgin or any other client not in a short list of approved clients.


Part of this will be for protection against misoperating clients, but a 
major factor will be protecting the business model on which the service 
is based.  For example, a recent comment was that Pidgin avoided the 
adverts that you get with Live Messenger, but one of the reasons 
Microsoft will operate that service free of charge to end users will be 
the advertising revenue that they obtain.


In this case, the change was probably made for valid security reasons, 
but it seems to have taken short cuts which rely on an updated client 
having information coded into it that the server would have to provide, 
in other cases, such as accessing https URLs.  The Microsoft client will 
have this update done, but until they make the change, unofficial 
clients may have no reason to believe that the client has been prepared 
for such a change.

--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: MSN SSL problems again

[Stu Tomlinson]

On Wed, 2010-11-24 at 22:32 +, David Woolley wrote:
 Zacknafain Do'Urden wrote:
  So what is it?  Has microsoft decided to make a play for propritary tech
  or something?
 
 In this case, it is probably a case of being reckless about Pidgin, 
 etc., but, if you actually read the terms of use you agree to when you 
 sign up to the MSN service, you will find that you agree not to use 
 Pidgin or any other client not in a short list of approved clients.

Please remember Hanlon's Razor:
Never attribute to malice that which is adequately explained by
stupidity.

 Part of this will be for protection against misoperating clients, but
 a major factor will be protecting the business model on which the
 service is based.  For example, a recent comment was that Pidgin
 avoided the adverts that you get with Live Messenger, but one of the
 reasons Microsoft will operate that service free of charge to end
 users will be the advertising revenue that they obtain.

Part of what? A recent comment where? Can you actually point to anything
Microsoft have ever done that can be demonstrably proved to be done
solely with the intention of blocking 3rd party clients? (I hate to
sound defensive of Microsoft here, but FUD should not be allowed either
way).

 In this case, the change was probably made for valid security reasons, 
 but it seems to have taken short cuts which rely on an updated client 
 having information coded into it that the server would have to provide, 
 in other cases, such as accessing https URLs.  The Microsoft client will 
 have this update done, but until they make the change, unofficial 
 clients may have no reason to believe that the client has been prepared 
 for such a change.

The change was made because their SSL certificate was expiring, so they
renewed it, I guess that counts as valid security reasons. The reason
they didn't detect (and so far don't seem too concerned about) the
mis-configuration of the server(s) is that their primary client already
recognizes the new intermediate certificates that signed the new SSL
certificate as trusted anyway, so they don't have a problem with the
fact that the server(s) are still providing the old intermediates in the
chain. But the reason their primary client trusts the new certificate is
simply because they ship  update their primary OS with their own
intermediate certificates too.

Regards,


Stu.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Pidgin MSN Non Functional. SSL Certificate Error ( Recurring too ! )

[pheedme]

I dont have time to search forums for this bug, I know its a known
issue, but in the end if this doesent get addressed, im migrating to
something that works withough me needing to Fuck with MSN SSL
certificates every 20 Minutes Forward this message to someone, or
don't. If this isnt fixed in less than a week, I will have no choice to
migrate to Empathy or another Multi-Chat client

So Technically if all I have to do is the steps below, can this be
scrippted into the software, to acquire new certificates whenever
required, or at least to verify it on connect?

Updated to the Latest Version
Tried Manually Getting New Certificate --- Fixes Issue
( Executed steps listed here )

Looked like an SSL error, which I confirmed with Goggles. I mean
Googles. I mean Google.

Anyway, to fix it, do this:
1. Open Pidgin. Go to Tools / Certificates and you should see
omega.contacts.msn.com. Delete it.
2. Then go to https://omega.contacts.msn.com . You’ll get an error on
the page, but don’t worry. Just double click on the certificate icon and
export the file to your Desktop or wherever.
3. Then go back into Pidgin and go to Tools / Certificates and Add it
via the Certificate Manager.

It should work now. Yay.



Randomly, or on next connect attempt certificate

Coming From an end user, I will discontinue use of this software, if it
does not support MSN in a stable fashion I tried to Supply as much
usefull information as possible with this message.


additional info:  From Log:

(21:13:57) account: Connecting to account phee...@vif.com.
(21:13:57) connection: Connecting. gc = 0x31867c0
(21:13:57) msn: new httpconn (0x3350e70)
(21:13:57) dns: DNS query for 'messenger.hotmail.com' queued
(21:13:57) dns: Wait for DNS child 4657 failed: No child processes
(21:13:57) dns: Created new DNS child 4677, there are now 1 children.
(21:13:57) dns: Successfully sent DNS request to child 4677
(21:13:57) dns: Got response for 'messenger.hotmail.com'
(21:13:57) dnsquery: IP resolved for messenger.hotmail.com
(21:13:57) proxy: Attempting connection to 64.4.45.62
(21:13:57) proxy: Connecting to messenger.hotmail.com:1863 with no proxy
(21:13:57) proxy: Connection in progress
(21:13:57) proxy: Connecting to messenger.hotmail.com:1863.
(21:13:57) proxy: Connected to messenger.hotmail.com:1863.
(21:13:57) msn: C: NS 000: VER 1 MSNP15 CVR0
(21:13:57) msn: S: NS 000: VER 1 MSNP15
(21:13:57) msn: C: NS 000: CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.5.1302
BC01 phee...@vif.com
(21:13:57) msn: S: NS 000: CVR 2 14.0.8117 14.0.8117 14.0.8117
http://msgruser.dlservice.microsoft.com/download/A/6/1/A616CCD4-B0CA-4A3D-B975-3EDB38081B38/en/wlsetup-cvr.exe
 http://download.live.com/?sku=messenger
(21:13:57) msn: C: NS 000: USR 3 SSO I phee...@vif.com
(21:13:57) msn: S: NS 000: XFR 3 NS 207.46.124.62:1863 U D
(21:13:57) dns: DNS query for '207.46.124.62' queued
(21:13:57) dnsquery: IP resolved for 207.46.124.62
(21:13:57) proxy: Attempting connection to 207.46.124.62
(21:13:57) proxy: Connecting to 207.46.124.62:1863 with no proxy
(21:13:57) proxy: Connection in progress
(21:13:57) proxy: Connecting to 207.46.124.62:1863.
(21:13:57) proxy: Connected to 207.46.124.62:1863.
(21:13:57) msn: C: NS 000: VER 4 MSNP15 CVR0
(21:13:57) msn: S: NS 000: VER 4 MSNP15
(21:13:57) msn: C: NS 000: CVR 5 0x0409 winnt 5.1 i386 MSNMSGR 8.5.1302
BC01 phee...@vif.com
(21:13:57) msn: S: NS 000: CVR 5 14.0.8117 14.0.8117 14.0.8117
http://msgruser.dlservice.microsoft.com/download/A/6/1/A616CCD4-B0CA-4A3D-B975-3EDB38081B38/en/wlsetup-cvr.exe
 http://download.live.com/?sku=messenger
(21:13:57) msn: C: NS 000: USR 6 SSO I phee...@vif.com
(21:13:57) msn: S: NS 000: GCF 0 5664
(21:13:57) msn: Processing GCF command
(21:13:58) msn: S: NS 000: USR 6 SSO S MBI_KEY_OLD
BCmuwXziwA3HcHv5nzwCQpIjbBng7YLhMUw937OrpcgxRD6ya+sVHIRRgU0/qOo5
(21:13:58) msn: Starting Windows Live ID authentication
(21:13:58) msn: Logging on phee...@vif.com, with policy 'MBI_KEY_OLD',
nonce 'BCmuwXziwA3HcHv5nzwCQpIjbBng7YLhMUw937OrpcgxRD6ya+sVHIRRgU0/qOo5'
(21:13:58) dns: DNS query for 'login.live.com' queued
(21:13:58) dns: Successfully sent DNS request to child 4677
(21:13:58) dns: Got response for 'login.live.com'
(21:13:58) dnsquery: IP resolved for login.live.com
(21:13:58) proxy: Attempting connection to 65.54.186.19
(21:13:58) proxy: Connecting to login.live.com:443 with no proxy
(21:13:58) proxy: Connection in progress
(21:13:58) proxy: Connecting to login.live.com:443.
(21:13:58) proxy: Connected to login.live.com:443.
(21:13:59) nss: subject=CN=login.live.com,OU=Passport,O=Microsoft
Corporation,OID.2.5.4.9=One Microsoft
Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,OID.2.5.4.15=Private
 
Organization,OID.1.3.6.1.4.1.311.60.2.1.2=Washington,OID.1.3.6.1.4.1.311.60.2.1.3=US
 issuer=CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at 
https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign, 
Inc.,C=US
(21:13:59) nss: subject=CN=VeriSign Class 3

Re: Pidgin MSN Non Functional. SSL Certificate Error ( Recurring too ! )

[John Bailey]

On 11/24/2010 09:19 PM, pheedme wrote:
 I dont have time to search forums for this bug, I know its a known
 issue, but in the end if this doesent get addressed, im migrating to
 something that works withough me needing to Fuck with MSN SSL
 certificates every 20 Minutes Forward this message to someone, or
 don't. If this isnt fixed in less than a week, I will have no choice to
 migrate to Empathy or another Multi-Chat client

Threats to switch to another IM client carry absolutely zero weight here.  If
you don't like Pidgin, you're free to use other software.  We're not going to
cry or lose sleep over it.  We won't even be sorry or insulted.

 So Technically if all I have to do is the steps below, can this be
 scrippted into the software, to acquire new certificates whenever
 required, or at least to verify it on connect?
 
 Updated to the Latest Version
 Tried Manually Getting New Certificate --- Fixes Issue
 ( Executed steps listed here )
 
 Looked like an SSL error, which I confirmed with Goggles. I mean
 Googles. I mean Google.

The popular solution presented by a Google search is incorrect and a security
risk.  The *correct* solution is to upgrade to Pidgin 2.7.7 and read
http://developer.pidgin.im/wiki/MSNCertIssue for details.

John



signature.asc
Description: OpenPGP digital signature
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin MSN Non Functional. SSL Certificate Error ( Recurring too ! )

[David Woolley]

pheedme wrote:

I dont have time to search forums for this bug, I know its a known


It's not a bug, unless you believe that clairvoyance is an essential 
requirement for software developers.  It was an unannounced change in 
the interface specification by Microsoft, an interface specification 
which I believe is not fully in the public domain, and which Microsoft 
would prefer not to be available to open source developers.


Also, saying that you are not prepared to search for answers before 
asking is not a way to win friends amongst people who provide answers to 
such questions.  Commercial organisations will accept such enquiries 
because you have paid to be able to make them.  Most people providing 
free support in their own time, just see it as an abuse of their time.


--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error MSN now AIM

[Etan Reisner]

On Mon, Nov 22, 2010 at 11:48:00AM -0500, Brooke Blanchard wrote:
 I updated to the 2.7.6 version to correct my MSN SSL error . MSN works now
 but now AIM is unable to log and says 'Unable to connect to authentication
 server: SSL Handshake Failed'

 Brooke Blanchard

http://developer.pidgin.im/ticket/12948

-Etan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

[Matthias Apitz]

El día Sunday, November 21, 2010 a las 12:09:39PM -0500, Etan Reisner escribió:

 People don't understand certificates. At all. Which is why they were
 perfectly willing to download certificates for the omega server from any
 blog/host that happened to have them up. That page is hosted on the
 pidgin.im server, the pem files come from the pidgin source, those exact
 files will be in the next release of pidgin which people will implicitly
 trust when they upgrade, etc.
 
 Any text talking about verifying things is going to complicate and confuse
 the situation more than I think it could possibly help though I do
 appreciate the thinking that goes into requesting it.
 
 I'm open to adding a note to the bottom explaining the potential dangers
 with doing this sort of thing but anything more than that I think would be
 too much.

I've right now compiled 2.7.6 on FreeBSD 8.x. It has two issues:

1)
the MSN certificate issue; the certificate is not validated after the
start of pidgin; it takes a while and it seems that if pidgin contacts
some of the *.contacts server it works, while it does not for others;
I could run it with --debug to get a list of the IP addrs...

2)
to get NLS support (for example a Spanish GUI) I must run the
./configure as:

$ CFLAGS='-I/usr/local/include' CPPFLAGS='-I/usr/local/include' ./configure 
--disable-nm --disable-tc

and enable '#define ENABLE_NLS 1' in config.h by hand; this was already
the case with 2.6.2 and easy to solve, because I saved the old mail :-)

Thanks for your work in any case

matthias

-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e g...@unixarea.de - w http://www.unixarea.de/

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

[Matthias Apitz]

El día Monday, November 22, 2010 a las 10:35:36AM +0100, Matthias Apitz 
escribió:

 I've right now compiled 2.7.6 on FreeBSD 8.x. It has two issues:
 
 1)
 the MSN certificate issue; the certificate is not validated after the
 start of pidgin; it takes a while and it seems that if pidgin contacts
 some of the *.contacts server it works, while it does not for others;
 I could run it with --debug to get a list of the IP addrs...

and here is the data from the debug log:

Pidgin resolves via DNS for omega.contacts.msn.com 5 times the IP addr
207.46.113.78 which has the following certificates:

(13:08:31) gnutls/x509: Key print: 
ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b
(13:08:31) gnutls/x509: Key print: 
7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05
(13:08:31) gnutls/x509: Key print: 
3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25

Then it resolves to 207.46.118.183 which has other certificates:

(13:16:03) gnutls/x509: Key print: 
c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36
(13:16:03) gnutls/x509: Key print: 
3a:dd:0e:7e:a2:b2:84:ff:45:9e:13:73:65:b4:82:d1:88:df:bf:8a
(13:16:03) gnutls/x509: Key print: 
e5:95:8d:48:fe:10:d7:34:03:11:e8:c0:3b:b2:29:40:da:ba:2d:a3

and it can verify with success:
  
(13:16:03) certificate: Successfully verified certificate for 
omega.contacts.msn.com

i.e. it depends of the server in question :-(

HIH

matthias
-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e g...@unixarea.de - w http://www.unixarea.de/

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL Error MSN now AIM

[Brooke Blanchard]

I updated to the 2.7.6 version to correct my MSN SSL error . MSN works now
but now AIM is unable to log and says 'Unable to connect to authentication
server: SSL Handshake Failed'

 

Brooke Blanchard
Estimating Assistant 

Farmer  Irwin Corporation

3300 Avenue K

Riviera Beach, FL 33404

Voice: (561) 842-5316 x 373 Fax: (561) 848-3786

 http://www.fandicorp.com/ www.fandicorp.com

P please consider the environment before printing this email. 

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Pidgin SSL-certificate error

[Carlijn Gerrits]

Hello,

I have read the FAQ on the pidgin side, but I don't understand the
instructions at all.

My version of pidgin is giving an error that says exactly this: The
certificate for omega.contacts.msn.com could not be validated. The
certificate chain presented is invalid.
I have not the faintest Idea what I should do about this. I tried restarting
both pidgin and the computer, but neither of these things worked.
I'm not about to mess with anything I don't know about, so I didn't try
anything else.

Is there anyone who can explain to me how I can solve this?

Thanks in advance,

Komiyan
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin SSL-certificate error

[David Woolley]

Carlijn Gerrits wrote:


I have read the FAQ on the pidgin side, but I don't understand the 
instructions at all.


Microsoft have messed up a security feature of the site.  If you don't 
understand what you are doing, you should get someone you personally 
trust, and who is competent, to make the changes.  The mechanism in 
question is about giving you a high level of certainty that you are 
dealing with the actual MSN server.  You do not have that level of 
certainty that the information that you receive on this list or from the 
bug tracker is actually coming, unaltered, from those.


You need to make an informed risk assessment before following any 
instructions.


I have not the faintest Idea what I should do about this. I tried 
restarting both pidgin and the computer, but neither of these things 
worked.


Restarting the computer is a sledge hammer approach, and generally will 
not work if the problem is a real problem introduced by a change made at 
either end, and in particular, in this case, one made at the remote end.


The official client was probably updated, securely, in advance of this 
change, and, as Microsoft don't approve of the use of third party, open 
source, clients, they probably don't care that they have broken access 
from Pidgin.


--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

[Etan Reisner]

On Sun, Nov 21, 2010 at 02:35:14PM +0100, Marvin Crazy Al Jansen wrote:
 Dear sir/madam,

 as you probably know, Pidgin on Maemo has been having difficulties with the 
 MSN certificates, omega.contacts.msn.com in particular. I tried fixing this 
 by searching on Google, but it did me no help. The two most useful sites were 
 on maemo.org 
 (http://talk.maemo.org/showthread.php?t=65926highlight=pidgin+certificate) 
 and on tweakers.net 
 (http://gathering.tweakers.net/forum/list_message/35061610#35061610) (Dutch). 
 Basically, I'm stuck. According to these I would need to delete the 
 omega.contacts.msn.com certificates and it would automatically redownload 
 them, but this is not the case. Is there some way to fix this? Due to network 
 issues (Yay netherlands!) the only working IM on N900 is Pidgin, and now I've 
 lost that too.

 Is there a way to fix this?

 Kind regards,
 Marvin Jansen,
 The Netherlands

I'm going to single you out becuase you are convenient not because you are
different or worse than the other people. There have been any number of
emails sent to this mailing list about this problem with a large number of
responses containing the solutions. Please search before posting to avoid
re-asking identical questions and requiring someone (like me) to decide
whether taking the time to answer the question Yet Again is worth the time
or whether leaving your email hang and hoping you find the other answers
is an acceptable thing to do.

To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue

If you are a member of those forums please post there indicating that the
directions to replace the omega certificate directly are incorrect and
that the correct instructions are available at the link I just gave you.

-Etan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

[David Woolley]

Etan Reisner wrote:



To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue


As this is telling people to do something potentially dangerous, I think 
it should also tell them to check that the issuer and subject on each 
certificate is different, i.e. that they are not being fed a potentially 
bogus root certificate.


It may be safe to fetch the intermediate certificates from an untrusted 
source, but only if they really are only intermediate ones.  At least I 
think that is true, but it is possible that openssl will stop when it 
finds a locally trusted intermediate certificate, in which case they 
need to verify the certificate chain before installing them.


I know that some browsers will accept a locally trusted leaf 
certificate, even though they don't trust the corresponding root.


--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

[Etan Reisner]

On Sun, Nov 21, 2010 at 04:45:34PM +, David Woolley wrote:
 Etan Reisner wrote:


 To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue

 As this is telling people to do something potentially dangerous, I think it
 should also tell them to check that the issuer and subject on each
 certificate is different, i.e. that they are not being fed a potentially
 bogus root certificate.

 It may be safe to fetch the intermediate certificates from an untrusted
 source, but only if they really are only intermediate ones.  At least I
 think that is true, but it is possible that openssl will stop when it finds
 a locally trusted intermediate certificate, in which case they need to
 verify the certificate chain before installing them.

 I know that some browsers will accept a locally trusted leaf certificate,
 even though they don't trust the corresponding root.

People don't understand certificates. At all. Which is why they were
perfectly willing to download certificates for the omega server from any
blog/host that happened to have them up. That page is hosted on the
pidgin.im server, the pem files come from the pidgin source, those exact
files will be in the next release of pidgin which people will implicitly
trust when they upgrade, etc.

Any text talking about verifying things is going to complicate and confuse
the situation more than I think it could possibly help though I do
appreciate the thinking that goes into requesting it.

I'm open to adding a note to the bottom explaining the potential dangers
with doing this sort of thing but anything more than that I think would be
too much.

-Etan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL Certificate error

[Emil Sekula]

Hello,

I have this error:

http://postimage.org/image/23wkqij50/

during the Pidgin start. Why ?

Regards,

Emil Sekula

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

RE: SSL Certificate error

[David Balažic]

Emil Sekula wrote:

 I have this error:
 
 http://postimage.org/image/23wkqij50/
 
 during the Pidgin start. Why ?

I had running Pidgin with a MSN account the entire day.
When I saw these mails I disabled the MSN account and after a few seconds
I enabled it. It connected without errors.

The I closed Pidgin and started it again. Now it gave me the same error dialog.

Using v2.7.5 on Windows XP.

Regards,
David

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support