Re: Pidgin 2.7.7 released!
El día Thursday, November 25, 2010 a las 04:20:48PM +, Stu Tomlinson escribió: > The string "Bad signature for" has been changed to "Bad signature from" > in the above debug message, this suggests you are not using latest > libpurple or not using latest gnutls plugin. (this change was actually > made over 15 months ago!) > > There should also be an additional log entry here saying: > (hh:mm:ss) gnutls: Dropping further peer certificates because the chain is > broken! > > Are you sure you are not using an older libpurple with current Pidgin? > > What does "pidgin -v" report as the versions of Pidgin & libpurple? > Are you sure you don't have both self-compiled and distro-provided > pidgin in your path and running the wrong one? Does running "ldconfig" > as root fix pidgin 2.7.7 to link to correct libpurple 2.7.7 ? > > If libpurple version is correct are you sure the ssl-gnutls.so plugin is > the one from 2.7.7? You'd probably have to check file timestamp to make > sure it was compiled around the same time (it's in > $prefix/lib/purple-2/ssl-gnutls.so) > > Please also check from running "pidgin -d" exactly which ssl-gnutls.so > is being loaded. I digged into this and it turned out that pidgin says: g...@current:~> pidgin -v Pidgin 2.7.7 (libpurple 2.7.7) g...@current:~> ldd /usr/local/bin/pidgin | fgrep purple libpurple.so.7 => /usr/local/lib/libpurple.so.7 (0x289e) but the /usr/local/lib/libpurple.so.7 was an older one, installed from the FreeBSD ports: libpurple-2.5.5_1; I deleted this package and compiled pidgin again with: $ CFLAGS='-I/usr/local/include' CPPFLAGS='-I/usr/local/include' ./configure --disable-nm --disable-tcl --enable-gnutls=yes --with-gnutls-libs=/usr/local/lib now it says: g...@current:~> strings /usr/local/lib/libpurple.so.7 | fgrep Bad ...Bad or missing signature by %s and pidgin uses ssl-gnutls.so: g...@current:~> pidgin -d | fgrep gnutls (10:10:44) plugins: probing /usr/local/lib/purple-2/ssl-gnutls.so (10:10:45) plugins: Loading saved plugin /usr/local/lib/purple-2/ssl-gnutls.so and it works fine now; Thanks matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.7 released!
On Thu, 2010-11-25 at 08:55 +0100, Matthias Apitz wrote: > El día Wednesday, November 24, 2010 a las 10:46:31AM +0100, Matthias Apitz > escribió: > > Thank you! I can ACK that 2.7.7. fixes the MSN certificate issue (using > > gnuTLS on FreeBSD 8.1) > > This was to early to say :-( That's not good at all. > (08:50:41) gnutls/x509: Certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN > Contact Services,CN=*.contacts.msn.com claims to be issued by > DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, > but the certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact > Services,CN=*.contacts.msn.com does not match. > (08:50:41) certificate: Checking signature chain for > uid=C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com > (08:50:41) gnutls/x509: Bad signature for > DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority > on C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com The string "Bad signature for" has been changed to "Bad signature from" in the above debug message, this suggests you are not using latest libpurple or not using latest gnutls plugin. (this change was actually made over 15 months ago!) There should also be an additional log entry here saying: (hh:mm:ss) gnutls: Dropping further peer certificates because the chain is broken! Are you sure you are not using an older libpurple with current Pidgin? What does "pidgin -v" report as the versions of Pidgin & libpurple? Are you sure you don't have both self-compiled and distro-provided pidgin in your path and running the wrong one? Does running "ldconfig" as root fix pidgin 2.7.7 to link to correct libpurple 2.7.7 ? If libpurple version is correct are you sure the ssl-gnutls.so plugin is the one from 2.7.7? You'd probably have to check file timestamp to make sure it was compiled around the same time (it's in $prefix/lib/purple-2/ssl-gnutls.so) Please also check from running "pidgin -d" exactly which ssl-gnutls.so is being loaded. Regards, Stu. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.7 released!
El día Wednesday, November 24, 2010 a las 10:46:31AM +0100, Matthias Apitz escribió: > El día Wednesday, November 24, 2010 a las 01:04:32AM -0500, John Bailey > escribió: > > > Hi all, > > > > I just pushed out the release of Pidgin 2.7.7. We rushed a release out to > > do > > two important things--finish fixing the MSN certificate issue we thought we > > had > > fixed for 2.7.6 and fix the AIM SSL Handshake Failure problem introduced in > > 2.7.6. There are also a couple minor crash fixes. > > > > Upgrade and enjoy! > > Thank you! I can ACK that 2.7.7. fixes the MSN certificate issue (using > gnuTLS on FreeBSD 8.1) This was to early to say :-( The problem still exists, here is a debug log (the cached certificate in /home/guru/.purple/certificates/x509/tls_peers/omega.contacts.msn.com was downloaded yesterday after deleting all files in /home/guru/.purple/certificates/x509/tls_peers/): (08:50:40) dns: Got response for 'omega.contacts.msn.com' (08:50:40) dnsquery: IP resolved for omega.contacts.msn.com (08:50:40) proxy: Attempting connection to 207.46.113.78 (08:50:40) proxy: Connecting to omega.contacts.msn.com:443 with no proxy (08:50:40) proxy: Connection in progress (08:50:40) proxy: Connecting to omega.contacts.msn.com:443. (08:50:40) proxy: Connected to omega.contacts.msn.com:443. (08:50:40) gnutls: Starting handshake with omega.contacts.msn.com (08:50:41) util: Writing file blist.xml to directory /home/guru/.purple (08:50:41) util: Writing file /home/guru/.purple/blist.xml (08:50:41) gnutls: Handshake complete (08:50:41) gnutls/x509: Key print: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b (08:50:41) gnutls/x509: Key print: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05 (08:50:41) gnutls/x509: Key print: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25 (08:50:41) gnutls: Peer provided 3 certs (08:50:41) gnutls: Lvl 0 SHA1 fingerprint: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b (08:50:41) gnutls: Serial: 7d:da:e0:49:00:08:00:01:c8:b9 (08:50:41) gnutls: Cert DN: C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com (08:50:41) gnutls: Cert Issuer DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority (08:50:41) gnutls: Lvl 1 SHA1 fingerprint: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05 (08:50:41) gnutls: Serial: 61:16:6d:2f:00:04:00:00:00:20 (08:50:41) gnutls: Cert DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority (08:50:41) gnutls: Cert Issuer DN: CN=Microsoft Internet Authority (08:50:41) gnutls: Lvl 2 SHA1 fingerprint: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25 (08:50:41) gnutls: Serial: 07:27:16:75 (08:50:41) gnutls: Cert DN: CN=Microsoft Internet Authority (08:50:41) gnutls: Cert Issuer DN: C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root (08:50:41) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com (08:50:41) certificate/x509/tls_cached: Checking for cached cert... (08:50:41) certificate/x509/tls_cached: ...Found cached cert (08:50:41) gnutls: Attempting to load X.509 certificate from /home/guru/.purple/certificates/x509/tls_peers/omega.contacts.msn.com (08:50:41) certificate/x509/tls_cached: Peer cert did NOT match cached (08:50:41) gnutls/x509: Certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com claims to be issued by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, but the certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com does not match. (08:50:41) certificate: Checking signature chain for uid=C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com (08:50:41) gnutls/x509: Bad signature for DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com (08:50:41) certificate: ...Bad or missing signature by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority Chain is INVALID What does this mean? matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Pidgin 2.7.7 released!
El día Wednesday, November 24, 2010 a las 01:04:32AM -0500, John Bailey escribió: > Hi all, > > I just pushed out the release of Pidgin 2.7.7. We rushed a release out to do > two important things--finish fixing the MSN certificate issue we thought we > had > fixed for 2.7.6 and fix the AIM SSL Handshake Failure problem introduced in > 2.7.6. There are also a couple minor crash fixes. > > Upgrade and enjoy! Thank you! I can ACK that 2.7.7. fixes the MSN certificate issue (using gnuTLS on FreeBSD 8.1) matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support