Problem with AIM
Duncan Berriman
duncan at berrimans.co.uk
Mon Jan 27 12:10:18 EST 2014
Hi Dainel,
Whilst I understand your point there are 2 options in a live environment.
Option 1 - Do what I’ve done until the correct solution can be found or obtained, not always possible immediately.
Option 2- Have your service offline for a number of hours until a solution is found or obtained and implemented.
I guess I could of checked to ensure it was the AIM certificate that it was asking about with a compare on the primary and seconday strings to make it less ‘wrong’. This was more a proof of concept rather than solution to the certificate issue.
The method I provided is purely as a stop gap whilst a solution is found or can be used in other circumstances when using a robot or headless piece of code and some (unexpected) question has to be answered via a callback.
In a number of years of running my libpurple robot it is nearly always certificates on the providers end of which I have no influence which have caused problems as they expire or require a new chain certificate. Thus I would intend to make this code optional so it can be quickly enabled as a temporary workaround whilst I find a solution.
It is not intended as a permanent fix.
I would however appreciate any comments re the actual code.
Since posting I’ve done some more research and it would appear the 2nd parameter is ignored in this callback so passing 0 is valid.
Duncan
From: Daniel Atallah [mailto:daniel.atallah at gmail.com]
Sent: 27 January 2014 16:49
To: Duncan Berriman
Cc: Pidgin Devel Mailing List
Subject: Re: Problem with AIM
On Mon, Jan 27, 2014 at 10:32 AM, Duncan Berriman <duncan at berrimans.co.uk> wrote:
>
> Hi,
>
> I did some more work on my code which may be of use to others as I see quite
> a number of questions re capturing and responding to requests when using
> libpurple as a robot or headless.
>
> This works as I can see the callback working (the request is closed) and the
> program manages to logon to AIM without the certificate present but I'm not
> sure it is totally correct. I can also see it fail to connect (as expected)
> if I change the code to do 'Reject' instead of 'Accept'.
I think you're going down the wrong path with this.
You almost certainly shouldn't (effectively) disabling certificate validation - that's a horrible thing to do.
As Mark noted, the issue with AIM is that they have a new cert that's signed by a CA isn't in the default pidgin CA list - the right way to resolve that particular issue is to add the CA to the CA list you're using.
If there is a particular server that is outside of your control which is using an invalid or expired cert (which is not the case with AIM), a very specific exception (for that server and certificate combination) *might* be a reasonable thing to implement, but the global thing you've done is just wrong.
-D
--
This message has been scanned for viruses and
dangerous content by <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/pipermail/devel/attachments/20140127/61a07497/attachment.html>
More information about the Devel
mailing list