David Woolley wrote:
anything fixed is for you to contribute the tested code yourself. A
summary of the issue in your posting might also have given me a clue
as to why nothing had been done.
The ticket in question basically says that Pidgin doesn't provide
enough information about an SSL certificate that has been rejected
because of an incomplete trust chain to allow the user to work out
which certificate is missing from the chain, and presumably try to
source it from a trustworthy source.
I would speculate that it is not considered high priority because most
people encountering the error would not have adequate understanding
public key infrastructures to understand the information anyway. I
would suspect that many of would do what many people do on IE, when
presented with a certificate error: click the proceed anyway button.
Of those that did recognize the problem, and did not want to bypass
the error, some would have the knowledge to resolve it from low level
diagnostics, and the rest would probably ask on forums.
I suspect the number of people unable to proceed without the details,
but who were able to add code to supply them, is rather small.
(If it is not clear, the ticket is not about accessing Yahoo.)
Yep, that's a pretty good summary.
I was going to post a follow up asking for more assistance, for finding
some way *outside* of Pidgin to see the certificate contents given that
Pidgin doesn't show it (as ticket #7034 says, and you confirm). But
after composing it and before posting, I thought some points needed
further research so I wouldn't waste your time (and, to be honest, to
avoid appearing foolish).
I was expecting I would need to download a 3rd party app to view certs;
but such a 3rd party app Google wasn't finding for me. Yet while
scanning my computer for certificate filenames to try other search terms
for Google, I found that Windows has a security certificate tool already
built in!!! No need for a 3rd party tool!
For anyone who cares, here's the method I have now found (for Windows):
1. Accept the new - as yet untrusted - certificate into Pidgin
2. Since it is not yet truly trusted (not trusted by the user, i.e.,
me), exit Pidgin
3. Go to Pidgin's certificate directory (on my system I found it at
C:\Documents and Settings\<user>\Application
Data\.purple\certificates\x509\tls_peers)
4. Make a copy of the certificate file in question (I just did
drag'n'drop to the same directory, making a "Copy of..." file from it)
5. Rename the copied cert, adding the extension ".CER" to the end of
its name
6. Double-click the renamed file, and there is the Windows dialog
showing the certificate's contents.
Step 7 would then be either to go ahead and use Pidgin if the
certificate passes muster; or, delete the certificate file if it seems
unsafe (alternately, for the no-trust case: within Pidgin there's a
Tools/Certificates user interface having a Delete button - so maybe the
Pidgin button is preferable to my idea of deleting the certificate file
directly from the file system).
The Windows tool associated with the ".CER" file extension is called
"Crypto Shell Extensions" in some places in Windows - useful to know for
finding it with Google, or for Windows filetype association, or "Open
With...".
If anyone chooses to follow this, one caution: the Certificate dialog
has a button called "Install Certificate...", so it is more than just a
display tool. I presume it would copy the certificate into Windows
somewhere. Doesn't seem to me a good idea to click that particular button.
(P.S. For anyone who cares, the certificate in question here was due to
the "gmail.com" versus "talk.google.com" confusion; and I decided it is
safe to keep the new cert I got.)
With regard to David's response to my original question (his response
quoted above): what do you think can be asked on a Forum, given that
Pidgin doesn't display the information that would be needed for anyone
on a Forum to provide a sufficient response? I'm asking this
rhetorically, but it ought to be pondered, IMHO. It still would be nice
if a better certificate viewer were native to Pidgin. The fact that
ticket #7034 has not been closed implies I'm not the only one who thinks so.
At the same time, I do understand the range of possible reasons you've
provided for things remaining status quo.
(By the way, via Google I *did* find some forums with questions about
whether or not to accept certs when prompted by Pidgin. None that I
found had useful answers. I didn't pursue it vigorously, though.)
Thank you very much for the time and work you put into replying.
_______________________________________________
[email protected] mailing list
Want to unsubscribe? Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support
