Why is a patch necessary to enable /etc/ssl/certs? Does
--with-system-ssl-certs= not do what you need? If so, we should fix
it, rather than applying additional hacks.
Ethan
signature.asc
Description: Digital signature
As far as I can tell, --with-system-ssl-certs doesn't exist in 2.4.3.
On Wed, 2008-08-06 at 13:03 -0400, Ethan Blanton wrote:
Why is a patch necessary to enable /etc/ssl/certs? Does
--with-system-ssl-certs= not do what you need? If so, we should fix
it, rather than applying additional hacks.
Ari Pollak spake unto us the following wisdom:
As far as I can tell, --with-system-ssl-certs doesn't exist in 2.4.3.
Whoops, an excellent point. You might want to simply use the attached
(untested, but compiles and looks rather trivial) patch, instead,
which is from upstream. It is upstream
On Wed, 2008-08-06 at 14:43 -0400, Ethan Blanton wrote:
Whoops, an excellent point. You might want to simply use the attached
(untested, but compiles and looks rather trivial) patch, instead,
which is from upstream. It is upstream revision
90ed1fb17982cbb6355d5dd32d041b8c0027509b and
Processing commands for [EMAIL PROTECTED]:
forwarded 492434 http://developer.pidgin.im/ticket/6500
Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates without
warning
Noted your statement that Bug has been forwarded to
http://developer.pidgin.im/ticket/6500.
End
As requested, NSS patch submitted to Pidgin in forwarded bug report, so
there's no need to switch to GNUTLS.
However, the second half of the patch above is still needed to grab CA
certs from /etc/ssl/certs. Attaching just that part.
--- pidgin-2.4.1/libpurple/certificate.c
+++
I believe this bug was introduced with the fix for bug #401567.
At that time, the SSL implementation was changed from GNUTLS to NSS.
Unfortunately, the NSS plugin in pidgin does no certificate checking at
all, meaning that any certificate is accepted (including malformed or
self-signed
tags 492434 patch
thanks
Miron Cuperman [EMAIL PROTECTED] wrote:
I believe this bug was introduced with the fix for bug #401567.
At that time, the SSL implementation was changed from GNUTLS to NSS.
Unfortunately, the NSS plugin in pidgin does no certificate checking at
all, meaning
Processing commands for [EMAIL PROTECTED]:
tags 492434 patch
Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates without
warning
Tags were: security
Tags added: patch
thanks
Stopping processing here.
Please contact me if you need assistance.
Debian bug tracking system
If what you say is correct, then most Pidgin installations are not
verifying certificates correctly and this isn't just a Debian problem.
Any patch needs to address the real issue, especially since upstream has
discouraged using GNUTLS.
Miron Cuperman wrote:
I believe this bug was introduced
Is the server certificate present in /etc/ssl/certs or Tools-Certificates?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Package: pidgin
Version: 2.4.3-1
Severity: grave
Tags: security
Justification: user security hole
I recently set up a Jabber server. I used the default snakeoil
certificate. When I configured Pidgin to connect to my new server,
using SSL, it connected without any complaint whatsoever.
- Josh
12 matches
Mail list logo
