On 22/09/13 21:26, skyper wrote:
1. Which ROOT CA storage does pidgin use to authenticate a server side SSL certificate?
See ./configure --help. At a quick scan, it looks like it uses its own set of root certificates by default. The default will depend on the OS, at least to some extent. On Debian, it looks like the default is /usr/share/purple/ca-certs.
If you didn't compile it yourself, the choices made by the packager may differ from the build system defaults.
2. How can I configure pidgin to use one (and just one; exclusive) ROOT CA storage (or single certificate) and ignore all other system-wide root certs without having to recompile the source?
On that reading. If it has been compiled to use its own certificates, delete the other certificates. Again, on the above reading, this will be a global change for all libpurple clients. If it has been compiled to use a system directory, your caveat cannot be met.
3. How can I harden pidgin to fail connecting to the jabber server if SSL trust can not be established? I do not want to see any warning that the SSL cert can not be authenticated or the user being asked if he trusts the certificate manually.
That goes against the general philosophy of open source clients, that the user should be assumed to be responsible. My guess is that this not only requires recompiling, but also requires source code changes.
Please note I'm not an expert on this. I'm just going on a very quick scan of the configure script, and the general design philosophy of open source client software.
_______________________________________________ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
