Finch and mismatching x509 certificates...

Paul Aurich darkrain42 at
Wed Sep 23 13:26:07 EDT 2009

On Sep 23, 2009, at 10:01, alessandro salvatori wrote:
Hi everybody,
>   I am hitting this issue:
> Finch doesn't ask the user whether he wants to accept a mismatching  
> certificate, but it just fails tls handshake and bails out.
> Pidgin instead presents me with a popup window, and after i accept  
> the certificate i can move on.
> Is there any workaround, given I have the certificate as it were  
> saved by Pidgin? Putting it in the certificate folder doesn't seem  
> to suffice...
> If someone's got an easy fix, I'd be glad to get a patch and rebuild.
> Below you can see the (anonymized) debug logs.

Partially. Leaving in the '' but obfuscating the connection  
server makes little sense, for the record. Anyone can sit down at a  
terminal and reproduce the query.

> thank you!
> -Alessandro

> ▒│
> │16:56:19 gnutls: Starting handshake with  
>>> │16:56:19 gnutls: Handshake failed. Error A TLS fatal alert has  
> been  
> received 
> .                                                                 
> ▒│
> │16:56:19 connection: Connection error on 0x80ad588 (reason: 5  
> description: SSL Handshake  
> Failed)                                             ▒│

This is an entirely different issue from a certificate warning/error  
(which occurs *after* the handshake process).

My guess would be that you're not running Pidgin and Finch on the same  
computer (or at least from the same install), so Pidgin is using the  
NSS SSL plugin (as opposed to the GnuTLS plugin, which seems to not be  
running in to these handshake failures).

If that's not the case, attach the Help->Debug Window output from  
Pidgin connection properly as well as a debug log from Finch with the  
PURPLE_GNUTLS_DEBUG environment variable set to 4 (that will generate  
debug output from GnuTLS).

What version of Pidgin, Finch, and GnuTLS are you using?


More information about the Support mailing list