Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
El día Sunday, November 21, 2010 a las 12:09:39PM -0500, Etan Reisner escribió: People don't understand certificates. At all. Which is why they were perfectly willing to download certificates for the omega server from any blog/host that happened to have them up. That page is hosted on the pidgin.im server, the pem files come from the pidgin source, those exact files will be in the next release of pidgin which people will implicitly trust when they upgrade, etc. Any text talking about verifying things is going to complicate and confuse the situation more than I think it could possibly help though I do appreciate the thinking that goes into requesting it. I'm open to adding a note to the bottom explaining the potential dangers with doing this sort of thing but anything more than that I think would be too much. I've right now compiled 2.7.6 on FreeBSD 8.x. It has two issues: 1) the MSN certificate issue; the certificate is not validated after the start of pidgin; it takes a while and it seems that if pidgin contacts some of the *.contacts server it works, while it does not for others; I could run it with --debug to get a list of the IP addrs... 2) to get NLS support (for example a Spanish GUI) I must run the ./configure as: $ CFLAGS='-I/usr/local/include' CPPFLAGS='-I/usr/local/include' ./configure --disable-nm --disable-tc and enable '#define ENABLE_NLS 1' in config.h by hand; this was already the case with 2.6.2 and easy to solve, because I saved the old mail :-) Thanks for your work in any case matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
El día Monday, November 22, 2010 a las 10:35:36AM +0100, Matthias Apitz escribió: I've right now compiled 2.7.6 on FreeBSD 8.x. It has two issues: 1) the MSN certificate issue; the certificate is not validated after the start of pidgin; it takes a while and it seems that if pidgin contacts some of the *.contacts server it works, while it does not for others; I could run it with --debug to get a list of the IP addrs... and here is the data from the debug log: Pidgin resolves via DNS for omega.contacts.msn.com 5 times the IP addr 207.46.113.78 which has the following certificates: (13:08:31) gnutls/x509: Key print: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b (13:08:31) gnutls/x509: Key print: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05 (13:08:31) gnutls/x509: Key print: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25 Then it resolves to 207.46.118.183 which has other certificates: (13:16:03) gnutls/x509: Key print: c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36 (13:16:03) gnutls/x509: Key print: 3a:dd:0e:7e:a2:b2:84:ff:45:9e:13:73:65:b4:82:d1:88:df:bf:8a (13:16:03) gnutls/x509: Key print: e5:95:8d:48:fe:10:d7:34:03:11:e8:c0:3b:b2:29:40:da:ba:2d:a3 and it can verify with success: (13:16:03) certificate: Successfully verified certificate for omega.contacts.msn.com i.e. it depends of the server in question :-( HIH matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
On Sun, Nov 21, 2010 at 02:35:14PM +0100, Marvin Crazy Al Jansen wrote: Dear sir/madam, as you probably know, Pidgin on Maemo has been having difficulties with the MSN certificates, omega.contacts.msn.com in particular. I tried fixing this by searching on Google, but it did me no help. The two most useful sites were on maemo.org (http://talk.maemo.org/showthread.php?t=65926highlight=pidgin+certificate) and on tweakers.net (http://gathering.tweakers.net/forum/list_message/35061610#35061610) (Dutch). Basically, I'm stuck. According to these I would need to delete the omega.contacts.msn.com certificates and it would automatically redownload them, but this is not the case. Is there some way to fix this? Due to network issues (Yay netherlands!) the only working IM on N900 is Pidgin, and now I've lost that too. Is there a way to fix this? Kind regards, Marvin Jansen, The Netherlands I'm going to single you out becuase you are convenient not because you are different or worse than the other people. There have been any number of emails sent to this mailing list about this problem with a large number of responses containing the solutions. Please search before posting to avoid re-asking identical questions and requiring someone (like me) to decide whether taking the time to answer the question Yet Again is worth the time or whether leaving your email hang and hoping you find the other answers is an acceptable thing to do. To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue If you are a member of those forums please post there indicating that the directions to replace the omega certificate directly are incorrect and that the correct instructions are available at the link I just gave you. -Etan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
Etan Reisner wrote: To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue As this is telling people to do something potentially dangerous, I think it should also tell them to check that the issuer and subject on each certificate is different, i.e. that they are not being fed a potentially bogus root certificate. It may be safe to fetch the intermediate certificates from an untrusted source, but only if they really are only intermediate ones. At least I think that is true, but it is possible that openssl will stop when it finds a locally trusted intermediate certificate, in which case they need to verify the certificate chain before installing them. I know that some browsers will accept a locally trusted leaf certificate, even though they don't trust the corresponding root. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid
On Sun, Nov 21, 2010 at 04:45:34PM +, David Woolley wrote: Etan Reisner wrote: To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue As this is telling people to do something potentially dangerous, I think it should also tell them to check that the issuer and subject on each certificate is different, i.e. that they are not being fed a potentially bogus root certificate. It may be safe to fetch the intermediate certificates from an untrusted source, but only if they really are only intermediate ones. At least I think that is true, but it is possible that openssl will stop when it finds a locally trusted intermediate certificate, in which case they need to verify the certificate chain before installing them. I know that some browsers will accept a locally trusted leaf certificate, even though they don't trust the corresponding root. People don't understand certificates. At all. Which is why they were perfectly willing to download certificates for the omega server from any blog/host that happened to have them up. That page is hosted on the pidgin.im server, the pem files come from the pidgin source, those exact files will be in the next release of pidgin which people will implicitly trust when they upgrade, etc. Any text talking about verifying things is going to complicate and confuse the situation more than I think it could possibly help though I do appreciate the thinking that goes into requesting it. I'm open to adding a note to the bottom explaining the potential dangers with doing this sort of thing but anything more than that I think would be too much. -Etan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
