Bug#771386: pidgin: Can't connect to XMPP servers with self-signed certs and invalid

2014-12-10 Thread Kirill Sutulo 
Package: pidgin
Version: 2.10.10-1~deb7u1
Followup-For: Bug #771386


I copied the certificate file to
~/.purple/certificates/x509/tls_peers/myxmpp.server.name

but keep getting the message

 The certificate for localhost could not be validated.
 The certificate chain presented is invalid.


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pidgin depends on:
ii  gconf2  3.2.5-1+build1
ii  libatk1.0-0 2.4.0-2
ii  libc6   2.13-38+deb7u6
ii  libcairo2   1.12.2-3
ii  libdbus-1-3 1.6.8-1+deb7u4
ii  libdbus-glib-1-20.100.2-1
ii  libfontconfig1  2.9.0-7.1
ii  libfreetype62.4.9-1.1
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libglib2.0-02.33.12+really2.32.4-5
ii  libgstreamer0.10-0  0.10.36-1.2
ii  libgtk2.0-0 2.24.10-2
ii  libgtkspell02.0.16-1
ii  libice6 2:1.0.8-2
ii  libpango1.0-0   1.30.0-1
ii  libpurple0  2.10.10-1~deb7u1
ii  libsm6  2:1.2.1-2
ii  libx11-62:1.5.0-1+deb7u1
ii  libxml2 2.8.0+dfsg1-7+wheezy2
ii  libxss1 1:1.2.2-1
ii  perl-base [perlapi-5.14.2]  5.14.2-21+deb7u2
ii  pidgin-data 2.10.10-1~deb7u1

Versions of packages pidgin recommends:
ii  gstreamer0.10-plugins-base  0.10.36-1.1
ii  gstreamer0.10-plugins-good  0.10.31-3+nmu1

Versions of packages pidgin suggests:
ii  libsqlite3-0  3.7.13-1+deb7u1

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#771386: pidgin: Can't connect to XMPP servers with self-signed certs and invalid certificate chain

2014-11-28 Thread Christian Kujau 
Package: pidgin
Version: 2.10.10-1.1
Severity: important

Dear Maintainer,

this is basically a copy of the upstream bug:

 #16412 - NSS SSL doesn't work well with self signed certificates
 https://developer.pidgin.im/ticket/16412

In short: if the SSL certificate of the XMPP server is self-signed and
has an incomplete validation chain, the following window pops up:

   The certificate for localhost could not be validated.
   The certificate chain presented is invalid.

but the user can only click OK and has no way to e.g. click Accept to
accept the implications, which is possible for other invalid certificate
warnings.

This is said to be fixed in Pidgin 2.10.11 with this commit:
 Improve NSS handling for unknown CAs 
 https://hg.pidgin.im/pidgin/main/rev/9086eaeacd2c

As a workaround, a user can install the certificate into
~/.purple/certificates/x509/tls_peers/ - however, the filename has to match the
Connect server entry in the account configuration. If the connect server is
localhost (e.g. for SSH tunneled connections to the Jabber server) it might help
to alias the real hostname to localhost:

 0) Assuming a connect server entry of localhost which is SSH-tunneled to
xmpp.example.org
 1) Add xmpp.example.org to the /etc/hosts entry for localhost:
127.0.0.1   localhost xmpp.example.org
 2) Copy certificate to ~/.purple/certificates/x509/tls_peers/xmpp.example.org
 3) Pidgin v2.10.10 should now be able to connect.

Thanks,
C.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pidgin depends on:
ii  gconf2  3.2.6-3
ii  libatk1.0-0 2.14.0-1
ii  libc6   2.19-13
ii  libcairo2   1.14.0-2.1
ii  libdbus-1-3 1.8.10-1
ii  libdbus-glib-1-20.102-1
ii  libfontconfig1  2.11.0-6.1
ii  libfreetype62.5.2-2
ii  libgadu31:1.12.0-5
ii  libgdk-pixbuf2.0-0  2.31.1-2+b1
ii  libglib2.0-02.42.0-2
ii  libgstreamer0.10-0  0.10.36-1.5
ii  libgtk2.0-0 2.24.25-1
ii  libgtkspell02.0.16-1.1
ii  libice6 2:1.0.9-1
ii  libpango-1.0-0  1.36.8-2
ii  libpangocairo-1.0-0 1.36.8-2
ii  libpangoft2-1.0-0   1.36.8-2
ii  libpurple0  2.10.10-1
ii  libsm6  2:1.2.2-1
ii  libx11-62:1.6.2-3
ii  libxml2 2.9.1+dfsg1-4
ii  libxss1 1:1.2.2-1
ii  perl-base [perlapi-5.20.1]  5.20.1-3
ii  pidgin-data 2.10.10-1

Versions of packages pidgin recommends:
ii  gstreamer0.10-plugins-base  0.10.36-2
ii  gstreamer0.10-plugins-good  0.10.31-3+nmu4+b1

Versions of packages pidgin suggests:
ii  libsqlite3-0  3.8.7.1-1

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#771386: pidgin: Can't connect to XMPP servers with self-signed certs and invalid certificate chain

2014-11-28 Thread Christian Kujau 
Sorry, the correct commit that fixes this issue is:

  Fix NSS handling of self-signed certificates. Fixes #16412.
  https://hg.pidgin.im/pidgin/main/rev/befb6523dc5c

Pidgin 2.10.11 (which is in unstable) includes that commit and fixes the 
issue for me.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org