Re: Hangouts ssl error

2020-10-29 Thread Rodney D. Myers 
On 10/29/20 3:19 PM, Wade Smart wrote:
> Wouldnt that depend on the service you are using?
> -- Registered Linux User: #480675 Registered Linux Machine: #408606
> Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers
>  wrote:
>> Has anyone else started getting;

XMPP, which was the default when I set it up.

using void linux, if that matters

-- 
Rodney D. Myers  - wg4usa

They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
Ben Franklin - 1759

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Hangouts ssl error

2020-10-29 Thread Rodney D. Myers 
Has anyone else started getting;


SSL handshake failure?

-- 
Rodney D. Myers  - wg4usa

They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety.
Ben Franklin - 1759
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

2020-10-29 Thread Eion Robb 
Hi Rodney,

Glad to hear that worked for you :)

Unfortunately it wasn't picked up by Mozilla until it was already released,
as they added in a 'compat mode' flag into Firefox that masked the problem
for them, but broke every other app that uses NSS.

If you're interested, you can read a bit more about the bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=1672703

Cheers,
Eion

On Fri, 30 Oct 2020 at 10:42, Rodney D. Myers 
wrote:

> That worked, once I found the plugin and enabled it
>
> Thank you
>
> On 10/29/20 5:35 PM, Eion Robb wrote:
> > There was a bug introduced in the most recent version of libnss that
> > prevents it talking to most servers with SSL. It's fixed in an
> > unreleased version of nss
> >
> > As a workaround (assuming this is the problem you're getting) you can
> > limit the max version of TLS in the Tools->Plugins->NSS Preferences
> > config screen to TLS 1.2
> >
> > Hopefully that helps resolve the issue, but if not please let us know
> > and we can start down the path of getting more debug details
> >
> > Cheers,
> > Eion
> >
> > On Fri, 30 Oct 2020, 09:09 Rodney D. Myers,  > > wrote:
> >
> > On 10/29/20 3:19 PM, Wade Smart wrote:
> > > Wouldnt that depend on the service you are using?
> > > -- Registered Linux User: #480675 Registered Linux Machine: #408606
> > > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D.
> Myers
> > > mailto:rodneymyer...@yahoo.com>> wrote:
> > >> Has anyone else started getting;
> >
> > XMPP, which was the default when I set it up.
> >
> > using void linux, if that matters
> >
> > --
> > Rodney D. Myers mailto:wg4...@arrl.net>> - wg4usa
> >
> > They that can give up essential liberty to obtain a
> > little temporary safety deserve neither liberty nor safety.
> > Ben Franklin - 1759
> >
> > ___
> > Support@pidgin.im  mailing list
> > Want to unsubscribe?  Use this link:
> > https://lists.pidgin.im/listinfo/support
> >
>
>
> --
> Rodney D. Myers  - wg4usa
>
> They that can give up essential liberty to obtain a
> little temporary safety deserve neither liberty nor safety.
> Ben Franklin - 1759
>
>
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

2020-10-29 Thread Eion Robb 
There was a bug introduced in the most recent version of libnss that
prevents it talking to most servers with SSL. It's fixed in an unreleased
version of nss

As a workaround (assuming this is the problem you're getting) you can limit
the max version of TLS in the Tools->Plugins->NSS Preferences config screen
to TLS 1.2

Hopefully that helps resolve the issue, but if not please let us know and
we can start down the path of getting more debug details

Cheers,
Eion

On Fri, 30 Oct 2020, 09:09 Rodney D. Myers,  wrote:

> On 10/29/20 3:19 PM, Wade Smart wrote:
> > Wouldnt that depend on the service you are using?
> > -- Registered Linux User: #480675 Registered Linux Machine: #408606
> > Linux since June 2005 On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers
> >  wrote:
> >> Has anyone else started getting;
>
> XMPP, which was the default when I set it up.
>
> using void linux, if that matters
>
> --
> Rodney D. Myers  - wg4usa
>
> They that can give up essential liberty to obtain a
> little temporary safety deserve neither liberty nor safety.
> Ben Franklin - 1759
>
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://lists.pidgin.im/listinfo/support
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: Hangouts ssl error

2020-10-29 Thread Wade Smart 
Wouldnt that depend on the service you are using?
-- 
Registered Linux User: #480675
Registered Linux Machine: #408606
Linux since June 2005

On Thu, Oct 29, 2020 at 1:30 PM Rodney D. Myers  wrote:
>
> Has anyone else started getting;
>
>
> SSL handshake failure?
>
> --
> Rodney D. Myers  - wg4usa
>
> They that can give up essential liberty to obtain a
> little temporary safety deserve neither liberty nor safety.
> Ben Franklin - 1759
> ___
> Support@pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://lists.pidgin.im/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://lists.pidgin.im/listinfo/support

Re: SSL Error

2015-01-01 Thread Pablo Diaz 
Hi Gentlemen,

Just checking to see what else I should try doing. 



On Monday, November 17, 2014 8:23 AM, Pablo Diaz pa...@yahoo.com wrote:
 


Hi Mark,

I did have this setting enabled and tried toggling it but no luck.


Sent from my Verizon Wireless 4G LTE smartphone
Hi Mark,

I did have this setting enabled and tried toggling it but no luck.


Sent from my Verizon Wireless 4G LTE smartphone
brbrdiv Original message /divdivFrom: Mark Doliner 
m...@kingant.net /divdivDate:11/16/2014  3:26 PM  (GMT-08:00) 
/divdivTo: Wade Smart wadesm...@gmail.com /divdivCc: Pablo Diaz 
pa...@yahoo.com,support@pidgin.im /divdivSubject: Re: SSL Error 
/divdivbr/div

On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote:
 Change your setting to, use encryption if available

Note that this could allow a man-in-the-middle to eavesdrop on
anything you send and receive using the account. Where
man-in-the-middle could be the operator of whatever local network
you're using (coffee shop wifi, etc), your ISP, the government, etc.

On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote:
 Change your setting to, use encryption if available

Note that this could allow a man-in-the-middle to eavesdrop on
anything you send and receive using the account. Where
man-in-the-middle could be the operator of whatever local network
you're using (coffee shop wifi, etc), your ISP, the government, etc.___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error

2014-11-16 Thread Mark Doliner 
On Mon, Nov 10, 2014 at 11:28 AM, Wade Smart wadesm...@gmail.com wrote:
 Change your setting to, use encryption if available

Note that this could allow a man-in-the-middle to eavesdrop on
anything you send and receive using the account. Where
man-in-the-middle could be the operator of whatever local network
you're using (coffee shop wifi, etc), your ISP, the government, etc.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error

2014-11-10 Thread Wade Smart 
Change your setting to, use encryption if available and your port should
still be 5222.
--
Registered Linux User: #480675
Registered Linux Machine: #408606
Linux since June 2005


On Mon, Nov 10, 2014 at 11:02 AM, Pablo Diaz pa...@yahoo.com wrote:
 I keep having an issue trying to connect to my FB account.  I've tried all
 possible from what I have found in forums but it doesn't seem to work.

 I have the SSL error.

 Not sure what else to do.  If there is anything else I can try I would
 really appreciate it.




 ___
 Support@pidgin.im mailing list
 Want to unsubscribe?  Use this link:
 https://pidgin.im/cgi-bin/mailman/listinfo/support

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
https://pidgin.im/cgi-bin/mailman/listinfo/support

Pidgin 2.10.7 Windows: yahoo / ssl error

2013-10-09 Thread Vlad Ion 
Dear support team,

Over the last 2 hours, I started having the following error on both
computers in my house. I tried to reboot the computers and reinstall
pidgin, though I have no luck and I get the same error.
Any help would be greatly appreciated.

(03:07:15) *connection:* Connecting. gc = 04CA35D0
(03:07:15) *util:* requesting to fetch a URL
(03:07:15) *dnsquery:* Performing DNS lookup for vcs1.msg.yahoo.com
(03:07:15) *dnsquery:* IP resolved for vcs1.msg.yahoo.com
(03:07:15) *proxy:* Attempting connection to 66.196.120.43
(03:07:15) *proxy:* Connecting to vcs1.msg.yahoo.com:80 with no proxy
(03:07:15) *proxy:* Connection in progress
(03:07:15) *proxy:* Connecting to vcs1.msg.yahoo.com:80.
(03:07:15) *proxy:* Connected to vcs1.msg.yahoo.com:80.
(03:07:15) *util:* request constructed
(03:07:16) *util:* Response headers: 'HTTP/1.1 200 OK
Content-Length: 46
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0, must-revalidate
Expires: Sun, 10 Jun 2007 12:01:01 GMT

'
(03:07:16) *util:* parsed 46
(03:07:16) *yahoo:* Got COLO Capacity: 1
(03:07:16) *yahoo:* Got CS IP address: 66.196.121.24
(03:07:16) *dnsquery:* Performing DNS lookup for 66.196.121.24
(03:07:16) *dnsquery:* IP resolved for 66.196.121.24
(03:07:16) *proxy:* Attempting connection to 66.196.121.24
(03:07:16) *proxy:* Connecting to 66.196.121.24:5050 with no proxy
(03:07:16) *proxy:* Connection in progress
(03:07:16) *proxy:* Connecting to 66.196.121.24:5050.
(03:07:16) *proxy:* Connected to 66.196.121.24:5050.
(03:07:16) *yahoo:* 80 bytes to read, rxlen is 100
(03:07:16) *yahoo:* Yahoo Service: 0x57 Status: 1
(03:07:16) *yahoo:* Authentication: In yahoo_auth16_stage1
(03:07:16) *util:* requesting to fetch a URL
(03:07:16) *dnsquery:* Performing DNS lookup for login.yahoo.com
(03:07:16) *dnsquery:* IP resolved for login.yahoo.com
(03:07:16) *proxy:* Attempting connection to 188.125.82.242
(03:07:16) *proxy:* Connecting to login.yahoo.com:443 with no proxy
(03:07:16) *proxy:* Connection in progress
(03:07:16) *proxy:* Connecting to login.yahoo.com:443.
(03:07:16) *proxy:* Connected to login.yahoo.com:443.
(03:07:16) *nss:* subject=CN=login.yahoo.com,O=Yahoo!
Inc.,L=Sunnyvale,ST=CA,C=US issuer=CN=DigiCert High Assurance CA-3,OU=
www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *nss:* subject=CN=DigiCert High Assurance CA-3,OU=
www.digicert.com,O=DigiCert Inc,C=US issuer=CN=DigiCert High Assurance EV
Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *nss:* partial certificate chain
(03:07:16) *certificate/x509/tls_cached:* Starting verify for
login.yahoo.com
(03:07:16) *certificate/x509/tls_cached:* Checking for cached cert...
(03:07:16) *certificate/x509/tls_cached:* ...Found cached cert
(03:07:16) *nss/x509:* Loading certificate from
C:\Users\root\AppData\Roaming\.purple\certificates\x509\tls_peers\
login.yahoo.com
(03:07:16) *certificate/x509/tls_cached:* Peer cert did NOT match cached
(03:07:16) *certificate:* Checking signature chain for uid=CN=
login.yahoo.com,O=Yahoo! Inc.,L=Sunnyvale,ST=CA,C=US
(03:07:16) *certificate:* ...Good signature by CN=DigiCert High Assurance
CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *certificate:* Chain is VALID
(03:07:16) *certificate/x509/tls_cached:* Checking for a CA with
DN=CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
Inc,C=US
(03:07:16) *certificate/x509/tls_cached:* Also checking for a CA with
DN=CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
(03:07:16) *certificate:* Failed to verify certificate for login.yahoo.com
(03:07:16) *yahoo:* Authentication: In yahoo_auth16_stage1_cb
(03:07:16) *yahoo:* Login Failed, unable to retrieve login url: Unable to
connect to login.yahoo.com: SSL peer presented an invalid certificate
(03:07:16) *connection:* Connection error on 04CA35D0 (reason: 0
description: Unable to connect to login.yahoo.com: SSL peer presented an
invalid certificate)
(03:07:16) *account:* Disconnecting account vlad_thoth (02581990)
(03:07:16) *connection:* Disconnecting connection 04CA35D0
(03:07:16) *connection:* Destroying connection 04CA35D0

Cheers,
Vlad
___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Ileana 
Hello,

Pidgin 2.10.6 (libpurple 2.10.6)
4cfe697ea3ae39a4fb3dad8e3ed1c70855901095

I am trying to connect to Tor using Pidgin.  I am having a connection
issue.  Of the three proxy options socks4, socks5, and
tor/privacy(socks5), it seems I should be using tor/privacy(socks5). 

This issue has come up on some Tor lists.

Can someone explain exactly what is the difference between Tor/Privacy
Socks5, and just Socks5, and whether you believe Pidgin to preserve the
anonymity?

And also, my question as to why on my system, socks 5 works, but
Tor/Privacy(Socks5) results in SSL connection error almost
immediately (i.e. I don't think it is even making any network activity,
it just immediately displays the SSL connect error.  Setting Socks5
works fine.

Thanks

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Daniel Atallah 
On Tue, Apr 2, 2013 at 7:08 PM, Ileana ile...@fairieunderground.info wrote:

 Hello,

 Pidgin 2.10.6 (libpurple 2.10.6)
 4cfe697ea3ae39a4fb3dad8e3ed1c70855901095

 I am trying to connect to Tor using Pidgin.  I am having a connection
 issue.  Of the three proxy options socks4, socks5, and
 tor/privacy(socks5), it seems I should be using tor/privacy(socks5).

 This issue has come up on some Tor lists.

 Can someone explain exactly what is the difference between Tor/Privacy
 Socks5, and just Socks5, and whether you believe Pidgin to preserve the
 anonymity?

The difference is that the Tor/Privacy proxy will disable various
other pieces of functionality (e.g. DNS queries) instead of just
proxying actual connections through a proxy.  If you have pidgin
configured appropriately (e.g. disabling UPnP, etc) we're not aware of
any leakage of information to someone listening between you and the
proxy endpoint.

 And also, my question as to why on my system, socks 5 works, but
 Tor/Privacy(Socks5) results in SSL connection error almost
 immediately (i.e. I don't think it is even making any network activity,
 it just immediately displays the SSL connect error.  Setting Socks5
 works fine.

You didn't provide any context to the specific issue, but the likely
reason for this particular error is that the Tor/Privacy Socks5 mode
will prevent DNS queries from occurring and this probably has the
effect of preventing you from determining the correct server to
connect to (e.g. a DNS SRV lookup is necessary to connect to the
appropriate XMPP server for a number of domains unless you specify a
Connect Server manually).

-D

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Ileana 
 
 You didn't provide any context to the specific issue, but the likely
 reason for this particular error is that the Tor/Privacy Socks5 mode
 will prevent DNS queries from occurring and this probably has the
 effect of preventing you from determining the correct server to
 connect to (e.g. a DNS SRV lookup is necessary to connect to the
 appropriate XMPP server for a number of domains unless you specify a
 Connect Server manually).
 

Daniel,

Sorry for the lack of context.  I am using tor and pidgin 
Pidgin 2.10.6 (libpurple 2.10.6), on linux.

I am connecting to a normal irc server.

It works with socks 5, it doesn't work, and immediately fails, with
tor/privacy socks5 with error ssl connection failed.

When I try to connect to an IRC tor hidden service
address (blahblahblah.onion) I get: 
Unable to connect: Aborting DNS lookup in Tor Proxy mode.

When I try to connect to a regular IRC address/hostname, I get SSL
Connection Failed.

Both work when I select socks5.  Neither works with tor/privacy(socks5).

Are you suggesting I should be putting the ip addresses in directly for
these hostnames?  That isn't even possible in the case of the hidden
service addresses.  And the hidden service address seems to resolve and
work fine with the socks5 setting.

I don't see how this can't be some kind of bug?  Aren't the dns requests
supposed to go through the proxy?  Do you need to add a check box (do
dns lookup at proxy end), as appears in the main proxy config screen,
for each individual setting?

I am concerned some users may be using pidgin incorrectly.  But you
might be right that it is a dns problem, and it is attempting the
lookup locally.  In the case of the TAILS OS, all dns is transparently
routed over the tor, so local dns gets resolved, and that would work.
But for most privacy users, local dns queeries are a big no-no, yet
they need to be done, and hence are done via socks 5 at proxy end.

What is the workaround now? Use socks4 and make the changes? Is it
sufficient to turn off unpp and disable uneccessary plugins, or is the
tor/privacy setting doing stuff in the code that an end user can't set
manually?  I.E. If I just use socks5 and disable plugins, is that
enough?  Does it do anything versus cctp/ping/dcc etc?

Thanks


___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Ileana 
From my basic understanding, a tor/privacy setting should ensure:

*no local dns lookups (perhaps as an options checkbox)
socks4 automatically does lookup at end...there is no option.
socks5 you have option for local or remote dns in the spec.  Most tor
users want remote, except in the case of TAILS a user might handle the
dns queeries locally(and then resolving them through for instance tor's
dns port).  I think the same side is to do them remotely.

*real ip address never gets sent out

*no other system information gets sent out(kernel version, uname,
os, etc)

*nothing that seems to be a unique identifier gets sent out upon
connect/reconnect. (i.e. ssl session ids, user agents/version, etc).

*timestamps all converted to utc

*any functionality such as dcc where there is a direct connection to
the other client should either be disabled or also insure real ip is
not leaked.

I can't think of anything else off the top of my head, but I may have
missed something.

If you are a developer and can point me to a link to the code that
handles the proxy settings, I would take a further look.

Thanks

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Daniel Atallah 
On Tue, Apr 2, 2013 at 8:55 PM, Ileana ile...@fairieunderground.info wrote:

 You didn't provide any context to the specific issue, but the likely
 reason for this particular error is that the Tor/Privacy Socks5 mode
 will prevent DNS queries from occurring and this probably has the
 effect of preventing you from determining the correct server to
 connect to (e.g. a DNS SRV lookup is necessary to connect to the
 appropriate XMPP server for a number of domains unless you specify a
 Connect Server manually).


 Daniel,

 Sorry for the lack of context.  I am using tor and pidgin
 Pidgin 2.10.6 (libpurple 2.10.6), on linux.

 I am connecting to a normal irc server.

 It works with socks 5, it doesn't work, and immediately fails, with
 tor/privacy socks5 with error ssl connection failed.

 When I try to connect to an IRC tor hidden service
 address (blahblahblah.onion) I get:
 Unable to connect: Aborting DNS lookup in Tor Proxy mode.

 When I try to connect to a regular IRC address/hostname, I get SSL
 Connection Failed.

You'll need to provide more details - a sanitized debug log
(Help-Debug Window) from when it tries to connect should help.


 Both work when I select socks5.  Neither works with tor/privacy(socks5).

 Are you suggesting I should be putting the ip addresses in directly for
 these hostnames?  That isn't even possible in the case of the hidden
 service addresses.  And the hidden service address seems to resolve and
 work fine with the socks5 setting.

No, that's not necessarily what I'm suggesting.

 I don't see how this can't be some kind of bug?  Aren't the dns requests
 supposed to go through the proxy?  Do you need to add a check box (do
 dns lookup at proxy end), as appears in the main proxy config screen,
 for each individual setting?

Again, it's hard to say without more information.  It's not possible
to do all DNS requests through the proxy - you can pass a hostname to
the proxy and have it resolve it, but e.g. a SRV request can't be done
through a proxy.

No, that checkbox is globally applied, it doesn't need to be more
granularly applied.

 I am concerned some users may be using pidgin incorrectly.  But you
 might be right that it is a dns problem, and it is attempting the
 lookup locally.  In the case of the TAILS OS, all dns is transparently
 routed over the tor, so local dns gets resolved, and that would work.
 But for most privacy users, local dns queeries are a big no-no, yet
 they need to be done, and hence are done via socks 5 at proxy end.

 What is the workaround now? Use socks4 and make the changes? Is it
 sufficient to turn off unpp and disable uneccessary plugins, or is the
 tor/privacy setting doing stuff in the code that an end user can't set
 manually?  I.E. If I just use socks5 and disable plugins, is that
 enough?  Does it do anything versus cctp/ping/dcc etc?

TAILS is pretty much irrelevant from the application perspective.
I'm going to hold off answering the rest because we don't know what
the problem is.

-D

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Daniel Atallah 
On Tue, Apr 2, 2013 at 9:11 PM, Ileana ile...@fairieunderground.info wrote:
 From my basic understanding, a tor/privacy setting should ensure:

All of my answers below apply to stock Pidgin when you select
Tor/Privacy in the proxy settings- any third party plugins could
change the behavior.

Some effort has been put into making XMPP safe from a privacy
perspective; other protocols have issues - good patches are always
welcome.

 *no local dns lookups (perhaps as an options checkbox)
 socks4 automatically does lookup at end...there is no option.
 socks5 you have option for local or remote dns in the spec.  Most tor
 users want remote, except in the case of TAILS a user might handle the
 dns queeries locally(and then resolving them through for instance tor's
 dns port).  I think the same side is to do them remotely.

The libpurple DNS functionality will be blocked - anything that can be
done through the proxy will be done, otherwise the functionality will
fail (for things using the libpurple DNS API).

It's possible that protocols like gadu-gadu or sametime, which use
external libraries to implement the protoco,l would make DNS requests
without using the libpurple API.

It looks like Bonjour/Link-Local accounts will send stuff out on your
local network, because that's how the protocol works.

 *real ip address never gets sent out

This should be the case for XMPP.

If libpurple/Pidgin is configured appropriately, it won't know what
your external IP address is.


 *no other system information gets sent out(kernel version, uname,
 os, etc)

Your IRC account default settings contain some information from your
OS user account, but you're free to change them.

See https://developer.pidgin.im/ticket/15295

There may be other issues for other protocols


 *nothing that seems to be a unique identifier gets sent out upon
 connect/reconnect. (i.e. ssl session ids, user agents/version, etc).

Of course unique things will be sent out - you're connecting to a IM
account and your account name will be sent out (and possibly your
password too depending on what you're connecting to).


 *timestamps all converted to utc

I'm not sure if there are places where your timezone or information
that can be used to deduce your timezone are sent out, but I don't
consider this sensitive.

 *any functionality such as dcc where there is a direct connection to
 the other client should either be disabled or also insure real ip is
 not leaked.

This wouldn't be a reasonable assumption to make for protocols other than XMPP.

 I can't think of anything else off the top of my head, but I may have
 missed something.

 If you are a developer and can point me to a link to the code that
 handles the proxy settings, I would take a further look.

libpurple/proxy.c

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Ileana 
On Tue, 2 Apr 2013 21:46:20 -0400
Daniel Atallah datal...@pidgin.im wrote:

 
  Daniel,
 
  Sorry for the lack of context.  I am using tor and pidgin
  Pidgin 2.10.6 (libpurple 2.10.6), on linux.
 
  I am connecting to a normal irc server.
 
  It works with socks 5, it doesn't work, and immediately fails, with
  tor/privacy socks5 with error ssl connection failed.
 
  When I try to connect to an IRC tor hidden service
  address (blahblahblah.onion) I get:
  Unable to connect: Aborting DNS lookup in Tor Proxy mode.
 
  When I try to connect to a regular IRC address/hostname, I get SSL
  Connection Failed.
 
 You'll need to provide more details - a sanitized debug log
 (Help-Debug Window) from when it tries to connect should help.
 

(21:49:24) account: Connecting to account foo44...@irc.oftc.net.
(21:49:24) connection: Connecting. gc = 0xb83c3868
(21:49:24) dnsquery: Performing DNS lookup for localhost
(21:49:24) dnsquery: Aborting DNS lookup in Tor Proxy mode.
(21:49:24) proxy: Connection attempt failed: Aborting DNS lookup in Tor Proxy 
mode.
(21:49:24) connection: Connection error on 0xb83c3868 (reason: 0 description: 
SSL Connection Failed)
(21:49:24) account: Disconnecting account foo44...@irc.oftc.net (0xb7c39428)
(21:49:24) connection: Disconnecting connection 0xb83c3868
(21:49:24) connection: Destroying connection 0xb83c3868
(21:49:28) autorecon: do_signon called
(21:49:28) autorecon: calling purple_account_connect

I don't understand this...it says it is doing dns lookup for localhost?

Ahh! I found it...I had localhost in the settings rather then
127.0.0.1.

When I set it to 127.0.0.1 for the proxy host, it works.  I see, it
cuts off all local dns requests, including looking at the host file.

I am not sure if this should be documented...most other applications
(firefox, thunderbird, etc) have the option to do some names locally,
in particular, localhost should usually work.  This may be considered a
minor bug?


 
 Again, it's hard to say without more information.  It's not possible
 to do all DNS requests through the proxy - you can pass a hostname to
 the proxy and have it resolve it, but e.g. a SRV request can't be done
 through a proxy.


 
 No, that checkbox is globally applied, it doesn't need to be more
 granularly applied.

Perhaps you are right.  And I am mixed up in my statements.  socks 4
you have the option local/remote dns.  socks4a seems to automatically
do remote, no option, but pidgin doesn't seem to do socks4a.  And socks5
again the option, but it seems the common setting is to do remote
lookup.  

 
  I am concerned some users may be using pidgin incorrectly.  But you
  might be right that it is a dns problem, and it is attempting the
  lookup locally.  In the case of the TAILS OS, all dns is
  transparently routed over the tor, so local dns gets resolved, and
  that would work. But for most privacy users, local dns queeries are
  a big no-no, yet they need to be done, and hence are done via socks
  5 at proxy end.
 
  What is the workaround now? Use socks4 and make the changes? Is it
  sufficient to turn off unpp and disable uneccessary plugins, or is
  the tor/privacy setting doing stuff in the code that an end user
  can't set manually?  I.E. If I just use socks5 and disable plugins,
  is that enough?  Does it do anything versus cctp/ping/dcc etc?
 
 TAILS is pretty much irrelevant from the application perspective.
 I'm going to hold off answering the rest because we don't know what
 the problem is.
 
OK...I see what you are saying.  I see how TAILS should be irrelevant
from the application end...up into the point the application itself is
sending out information that could deanoymize the client.  TAILS really
can't do anything about that, hence I like that pidgin is
compartmentalizing the problem by having this privacy setting.  I just
think it should be documented exactly what it is doing.

It seems your Tor/Privacy mode should keep the user, by any means
possible, from doing un-intentional loss of private information at the
application level.

Thanks for helping me resolve this, and your obvious work on this app,
which is really nice. I guess I will have to look at the code to see
exactly what is the difference from the socks5/torprivacy setting?  You
mentioned, obviously, it blocking DNS, and we see that here.  I am
wanting a full list of differences.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: tor/privacy (socks5) option giving ssl error

2013-04-02 Thread Ileana 
On Tue, 2 Apr 2013 22:36:51 -0400
Daniel Atallah datal...@pidgin.im wrote:

 On Tue, Apr 2, 2013 at 9:11 PM, Ileana
 ile...@fairieunderground.info wrote:
  From my basic understanding, a tor/privacy setting should ensure:
 
 All of my answers below apply to stock Pidgin when you select
 Tor/Privacy in the proxy settings- any third party plugins could
 change the behavior.
 
 Some effort has been put into making XMPP safe from a privacy
 perspective; other protocols have issues - good patches are always
 welcome.

Well thanks for the effort.
 
  *no local dns lookups (perhaps as an options checkbox)
  socks4 automatically does lookup at end...there is no option.
  socks5 you have option for local or remote dns in the spec.  Most
  tor users want remote, except in the case of TAILS a user might
  handle the dns queeries locally(and then resolving them through for
  instance tor's dns port).  I think the same side is to do them
  remotely.
 
 The libpurple DNS functionality will be blocked - anything that can be
 done through the proxy will be done, otherwise the functionality will
 fail (for things using the libpurple DNS API).
 
 It's possible that protocols like gadu-gadu or sametime, which use
 external libraries to implement the protoco,l would make DNS requests
 without using the libpurple API.
 
 It looks like Bonjour/Link-Local accounts will send stuff out on your
 local network, because that's how the protocol works.
 
  *real ip address never gets sent out
 
 This should be the case for XMPP.
 
 If libpurple/Pidgin is configured appropriately, it won't know what
 your external IP address is.
 
 
  *no other system information gets sent out(kernel version, uname,
  os, etc)
 
 Your IRC account default settings contain some information from your
 OS user account, but you're free to change them.
 
 See https://developer.pidgin.im/ticket/15295
 
 There may be other issues for other protocols
 
 
  *nothing that seems to be a unique identifier gets sent out upon
  connect/reconnect. (i.e. ssl session ids, user agents/version, etc).
 
 Of course unique things will be sent out - you're connecting to a IM
 account and your account name will be sent out (and possibly your
 password too depending on what you're connecting to).

Everyone disagrees about the User Agent issue and this has been a big
pain in the butt across applications from browsers to torrent to chat.
It seems XMPP/Pidgin does send out the timezone and pidgin
version/libpurple version. Seems like minor non-senstive stuff but it
does allow partitioning of the userspace.

 
 
  *timestamps all converted to utc
 
 I'm not sure if there are places where your timezone or information
 that can be used to deduce your timezone are sent out, but I don't
 consider this sensitive.
 
  *any functionality such as dcc where there is a direct connection to
  the other client should either be disabled or also insure real ip is
  not leaked.
 
 This wouldn't be a reasonable assumption to make for protocols other
 than XMPP.
 
  I can't think of anything else off the top of my head, but I may
  have missed something.
 
  If you are a developer and can point me to a link to the code that
  handles the proxy settings, I would take a further look.
 
 libpurple/proxy.c

Thanks for the info.  I will take a look at it.

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Re: SSL Error MSN now AIM

2010-11-23 Thread Etan Reisner 
On Mon, Nov 22, 2010 at 11:48:00AM -0500, Brooke Blanchard wrote:
 I updated to the 2.7.6 version to correct my MSN SSL error . MSN works now
 but now AIM is unable to log and says 'Unable to connect to authentication
 server: SSL Handshake Failed'

 Brooke Blanchard

http://developer.pidgin.im/ticket/12948

-Etan

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

SSL Error MSN now AIM

2010-11-22 Thread Brooke Blanchard 
I updated to the 2.7.6 version to correct my MSN SSL error . MSN works now
but now AIM is unable to log and says 'Unable to connect to authentication
server: SSL Handshake Failed'

 

Brooke Blanchard
Estimating Assistant 

Farmer  Irwin Corporation

3300 Avenue K

Riviera Beach, FL 33404

Voice: (561) 842-5316 x 373 Fax: (561) 848-3786

 http://www.fandicorp.com/ www.fandicorp.com

P please consider the environment before printing this email. 

___
Support@pidgin.im mailing list
Want to unsubscribe?  Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support

Request Support on SSL Error

2009-05-22 Thread Morning Star 
Dear support team,

I used pidgin for nearly 3 months. Now i reinstall old version and
installed new version 2.5.6. I use pidgin as second gtalk. Currently I
am facing SSL Connection Failed problem. Here is my setting

BASIC TAB

Protocol :XMPP
Username : my google id
Domain : gmail.com
Resource: Home
Password : ***
Remember : on


Advanced TB

Require SSL/TLS : uncheck
Forced old (port 5222) SSL : check
Allow plaintext : uncheck
Connect port : 443
Connect Server : talk.google.com
File transfer proxies : proxy.jabber.org (default one)
Proxy options: Use Global Proxy setting


I think that my setting is fine but I still have SSL Connection Failed
problem. Please kindly support my problem.

With Regards,
Thet Wai Aung (hexahacker)

___
Support mailing list
Support@pidgin.im
http://pidgin.im/cgi-bin/mailman/listinfo/support