Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Sat, 02 Aug 2008 20:18:23 -0700 

I believe this bug was introduced with the "fix" for bug #401567.
At that time, the SSL implementation was changed from GNUTLS to NSS. Unfortunately, the NSS plugin in pidgin does no certificate checking at all, meaning that any certificate is accepted (including malformed or self-signed ones).
I recommend switching back to gnutls. Patch attached. The attached patch also corrects a problem in reading the certificate store from /etc/ssl/certs . (note that this patch is cumulative to 00_debian-ca-certs.patch .)
Unfortunately, it is now the case that any passwords transmitted over an NSS created link could have been compromised by man-in-the-middle attacks, since many people use the PLAIN auth mechanism. Any valuable passwords compromised in this way should be changed. 

--
Miron


diff -ur pidgin-2.4.1/debian/rules pidgin-2.4.1-gnutls/debian/rules
--- pidgin-2.4.1/debian/rules	2008-08-02 19:04:58.000000000 -0700
+++ pidgin-2.4.1-gnutls/debian/rules	2008-08-02 18:43:49.000000000 -0700
@@ -20,7 +20,7 @@
 LDFLAGS = -Wl,--as-needed
 CFLAGS = -fstack-protector
 
-DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl --enable-nm --disable-silc
+DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus --enable-gnutls=yes --enable-nss=no --enable-cyrus-sasl --enable-nm --disable-silc
 DEB_DH_MAKESHLIBS_ARGS_pidgin := -V -X/usr/lib/pidgin
 DEB_DH_SHLIBDEPS_ARGS_pidgin := -X/usr/lib/pidgin/gevolution.so -X/usr/lib/pidgin/cap.so -- -dSuggests debian/pidgin/usr/lib/pidgin/cap.so -dDepends
 
diff -ur pidgin-2.4.1/libpurple/certificate.c pidgin-2.4.1-gnutls/libpurple/certificate.c
--- pidgin-2.4.1/libpurple/certificate.c	2008-08-02 19:07:10.000000000 -0700
+++ pidgin-2.4.1-gnutls/libpurple/certificate.c	2008-08-02 18:56:25.000000000 -0700
@@ -745,7 +745,7 @@
 		x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR,
 						   "ca-certs", NULL));
 #else
-		x509_ca_paths = g_list_append(NULL, g_build_filename("etc",
+		x509_ca_paths = g_list_append(NULL, g_build_filename("/etc",
 						   "ssl", "certs", NULL));
 #endif
 	}

Reply via email to