On Wed, 2008-08-06 at 14:43 -0400, Ethan Blanton wrote:
> Whoops, an excellent point. You might want to simply use the attached
> (untested, but compiles and looks rather trivial) patch, instead,
> which is from upstream. It is upstream revision
> 90ed1fb17982cbb6355d5dd32d041b8c0027509b and
> 19
Ari Pollak spake unto us the following wisdom:
> As far as I can tell, --with-system-ssl-certs doesn't exist in 2.4.3.
Whoops, an excellent point. You might want to simply use the attached
(untested, but compiles and looks rather trivial) patch, instead,
which is from upstream. It is upstream re
As far as I can tell, --with-system-ssl-certs doesn't exist in 2.4.3.
On Wed, 2008-08-06 at 13:03 -0400, Ethan Blanton wrote:
> Why is a patch necessary to enable /etc/ssl/certs? Does
> --with-system-ssl-certs= not do what you need? If so, we should fix
> it, rather than applying additional hack
Why is a patch necessary to enable /etc/ssl/certs? Does
--with-system-ssl-certs= not do what you need? If so, we should fix
it, rather than applying additional hacks.
Ethan
signature.asc
Description: Digital signature
As requested, NSS patch submitted to Pidgin in forwarded bug report, so
there's no need to switch to GNUTLS.
However, the second half of the patch above is still needed to grab CA
certs from /etc/ssl/certs. Attaching just that part.
--- pidgin-2.4.1/libpurple/certificate.c
+++ pidgin-2.4.1.n
If what you say is correct, then most Pidgin installations are not
verifying certificates correctly and this isn't just a Debian problem.
Any patch needs to address the real issue, especially since upstream has
discouraged using GNUTLS.
Miron Cuperman wrote:
> I believe this bug was introduced wit
tags 492434 patch
thanks
Miron Cuperman <[EMAIL PROTECTED]> wrote:
> I believe this bug was introduced with the "fix" for bug #401567.
>
> At that time, the SSL implementation was changed from GNUTLS to NSS.
> Unfortunately, the NSS plugin in pidgin does no certificate checking at
> all, mea
I believe this bug was introduced with the "fix" for bug #401567.
At that time, the SSL implementation was changed from GNUTLS to NSS.
Unfortunately, the NSS plugin in pidgin does no certificate checking at
all, meaning that any certificate is accepted (including malformed or
self-signed ones
Is the server certificate present in /etc/ssl/certs or Tools->Certificates?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Package: pidgin
Version: 2.4.3-1
Severity: grave
Tags: security
Justification: user security hole
I recently set up a Jabber server. I used the default snakeoil
certificate. When I configured Pidgin to connect to my new server,
using SSL, it connected without any complaint whatsoever.
- Josh Tr
10 matches
Mail list logo
