Your message dated Sat, 29 Nov 2014 01:38:19 +0000
with message-id
<CALiO0=Fm2r9oZM=pdrprphow9nbwxt-wh7rbvxfz34jrpy7...@mail.gmail.com>
and subject line Fwd: Bug#771386: pidgin: Can't connect to XMPP servers with
self-signed certs and invalid certificate chain
has caused the Debian Bug report #771386,
regarding pidgin: Can't connect to XMPP servers with self-signed certs and
invalid certificate chain
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771386: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771386
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pidgin
Version: 2.10.10-1.1
Severity: important
Dear Maintainer,
this is basically a copy of the upstream bug:
> #16412 - NSS SSL doesn't work well with self signed certificates
> https://developer.pidgin.im/ticket/16412
In short: if the SSL certificate of the XMPP server is self-signed and
has an incomplete validation chain, the following window pops up:
> The certificate for localhost could not be validated.
> The certificate chain presented is invalid.
....but the user can only click "OK" and has no way to e.g. click "Accept" to
accept the implications, which is possible for other "invalid certificate"
warnings.
This is said to be fixed in Pidgin 2.10.11 with this commit:
> Improve NSS handling for unknown CAs
> https://hg.pidgin.im/pidgin/main/rev/9086eaeacd2c
As a workaround, a user can install the certificate into
~/.purple/certificates/x509/tls_peers/ - however, the filename has to match the
"Connect server" entry in the account configuration. If the "connect server" is
localhost (e.g. for SSH tunneled connections to the Jabber server) it might help
to alias the real hostname to localhost:
0) Assuming a "connect server" entry of "localhost" which is SSH-tunneled to
xmpp.example.org
1) Add "xmpp.example.org" to the /etc/hosts entry for localhost:
127.0.0.1 localhost xmpp.example.org
2) Copy certificate to ~/.purple/certificates/x509/tls_peers/xmpp.example.org
3) Pidgin v2.10.10 should now be able to connect.
Thanks,
C.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pidgin depends on:
ii gconf2 3.2.6-3
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-13
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.10-1
ii libdbus-glib-1-2 0.102-1
ii libfontconfig1 2.11.0-6.1
ii libfreetype6 2.5.2-2
ii libgadu3 1:1.12.0-5
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.42.0-2
ii libgstreamer0.10-0 0.10.36-1.5
ii libgtk2.0-0 2.24.25-1
ii libgtkspell0 2.0.16-1.1
ii libice6 2:1.0.9-1
ii libpango-1.0-0 1.36.8-2
ii libpangocairo-1.0-0 1.36.8-2
ii libpangoft2-1.0-0 1.36.8-2
ii libpurple0 2.10.10-1
ii libsm6 2:1.2.2-1
ii libx11-6 2:1.6.2-3
ii libxml2 2.9.1+dfsg1-4
ii libxss1 1:1.2.2-1
ii perl-base [perlapi-5.20.1] 5.20.1-3
ii pidgin-data 2.10.10-1
Versions of packages pidgin recommends:
ii gstreamer0.10-plugins-base 0.10.36-2
ii gstreamer0.10-plugins-good 0.10.31-3+nmu4+b1
Versions of packages pidgin suggests:
ii libsqlite3-0 3.8.7.1-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2.10.11
--- End Message ---
