I believe this bug was introduced with the "fix" for bug #401567.
At that time, the SSL implementation was changed from GNUTLS to NSS. Unfortunately, the NSS plugin in pidgin does no certificate checking at all, meaning that any certificate is accepted (including malformed or self-signed ones).
I recommend switching back to gnutls. Patch attached. The attached patch also corrects a problem in reading the certificate store from /etc/ssl/certs . (note that this patch is cumulative to 00_debian-ca-certs.patch .)
Unfortunately, it is now the case that any passwords transmitted over an NSS created link could have been compromised by man-in-the-middle attacks, since many people use the PLAIN auth mechanism. Any valuable passwords compromised in this way should be changed.
-- Miron
diff -ur pidgin-2.4.1/debian/rules pidgin-2.4.1-gnutls/debian/rules --- pidgin-2.4.1/debian/rules 2008-08-02 19:04:58.000000000 -0700 +++ pidgin-2.4.1-gnutls/debian/rules 2008-08-02 18:43:49.000000000 -0700 @@ -20,7 +20,7 @@ LDFLAGS = -Wl,--as-needed CFLAGS = -fstack-protector -DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl --enable-nm --disable-silc +DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=yes --enable-nss=no --enable-cyrus-sasl --enable-nm --disable-silc DEB_DH_MAKESHLIBS_ARGS_pidgin := -V -X/usr/lib/pidgin DEB_DH_SHLIBDEPS_ARGS_pidgin := -X/usr/lib/pidgin/gevolution.so -X/usr/lib/pidgin/cap.so -- -dSuggests debian/pidgin/usr/lib/pidgin/cap.so -dDepends diff -ur pidgin-2.4.1/libpurple/certificate.c pidgin-2.4.1-gnutls/libpurple/certificate.c --- pidgin-2.4.1/libpurple/certificate.c 2008-08-02 19:07:10.000000000 -0700 +++ pidgin-2.4.1-gnutls/libpurple/certificate.c 2008-08-02 18:56:25.000000000 -0700 @@ -745,7 +745,7 @@ x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR, "ca-certs", NULL)); #else - x509_ca_paths = g_list_append(NULL, g_build_filename("etc", + x509_ca_paths = g_list_append(NULL, g_build_filename("/etc", "ssl", "certs", NULL)); #endif }