[Bug 302314] Re: Pidgin not using existing root TLS/SSL certificates for validation

Brian Candler Mon, 17 May 2010 01:46:01 -0700

The problem definitely remains.

This morning, pidgin under Hardy started giving me the 'invalid
certificate' error for login.live.com, asking me blindly whether or not
to accept the new certificate. It showed me nothing more than the
fingerprint and start/end times to make that choice.


Coincidentally, update manager showed me an update to pidgin, but even
after update the error persisted. I now have:

ii  libpurple0                             1:2.7.0-0ubuntu1.1~pidgin1.08.04     
                      multi-protocol instant messaging library
ii  pidgin                                 1:2.7.0-0ubuntu1.1~pidgin1.08.04     
                      graphical multi-protocol instant messaging client for X
ii  pidgin-data                            1:2.7.0-0ubuntu1.1~pidgin1.08.04     
                      multi-protocol instant messaging client - data files
ii  pidgin-otr                             3.1.0-1                              
                      Off-the-Record Messaging plugin for pidgin

The error also continued after deleting the existing login.live.com
certificate from within pidgin.

I initially rejected the certificate, on the basis that there might be
an upstream device intercepting, logging and/or modifying the traffic.

However I was able to verify the certificate manually like this:

(1) openssl s_client -CApath /etc/ssl -connect login.live.com:443

This showed that the certificate is indeed valid and signed by a trusted
CA (verify return code 0 = OK)

(2) Copy-paste the PEM certificate shown from step 1 into a new file
(ll.cert)

(3) Take the fingerprint of that certificate:

openssl x509 -in ll.cert -noout -fingerprint
> SHA1 Fingerprint=C9:F2:FD:50:A2:0C:AB:4A:45:22:F9:23:E1:91:04:9E:01:F0:64:48

(4) This value matches the value shown by pidgin, so I was able to
accept it safely

It's pretty ridiculous that an end-user has to go to such extremes to
ensure the security of their comms, when all the machinery and the trust
root needed to validate it is already present within Ubuntu.

-- 
Pidgin not using existing root TLS/SSL certificates for validation
https://bugs.launchpad.net/bugs/302314
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 302314] Re: Pidgin not using existing root TLS/SSL certificates for validation

Reply via email to