Ticket #7034

Sun Jun 17 05:21:03 EDT 2012

David Woolley wrote:
>
>> anything fixed is for you to contribute the tested code yourself.  A 
>> summary of the issue in your posting might also have given me a clue 
>> as to why nothing had been done.
>
> The ticket in question basically says that Pidgin doesn't provide 
> enough information about an SSL certificate that has been rejected 
> because of an incomplete trust chain to allow the user to work out 
> which certificate is missing from the chain, and presumably try to 
> source it from a trustworthy source.
>
> I would speculate that it is not considered high priority because most 
> people encountering the error would not have adequate understanding 
> public key infrastructures to understand the information anyway.  I 
> would suspect that many of would do what many people do on IE, when 
> presented with a certificate error:  click the proceed anyway button.
>
> Of those that did recognize the problem, and did not want to bypass 
> the error, some would have the knowledge to resolve it from low level 
> diagnostics, and the rest would probably ask on forums.
>
> I suspect the number of people unable to proceed without the details, 
> but who were able to add code to supply them, is rather small.
>
> (If it is not clear, the ticket is not about accessing Yahoo.)

Yep, that's a pretty good summary.

I was going to post a follow up asking for more assistance, for finding 
some way *outside* of Pidgin to see the certificate contents given that 
Pidgin doesn't show it (as ticket #7034 says, and you confirm).  But 
after composing it and before posting, I thought some points needed 
further research so I wouldn't waste your time (and, to be honest, to 
avoid appearing foolish).

I was expecting I would need to download a 3rd party app to view certs; 
but such a 3rd party app Google wasn't finding for me.  Yet while 
scanning my computer for certificate filenames to try other search terms 
for Google, I found that Windows has a security certificate tool already 
built in!!!  No need for a 3rd party tool!

For anyone who cares, here's the method I have now found (for Windows):

   1. Accept the new - as yet untrusted - certificate into Pidgin
   2. Since it is not yet truly trusted (not trusted by the user, i.e., 
me), exit Pidgin
   3. Go to Pidgin's certificate directory (on my system I found it at 
C:\Documents and Settings\<user>\Application 
Data\.purple\certificates\x509\tls_peers)
   4. Make a copy of the certificate file in question (I just did 
drag'n'drop to the same directory, making a "Copy of..." file from it)
   5. Rename the copied cert, adding the extension ".CER" to the end of 
its name
   6. Double-click the renamed file, and there is the Windows dialog 
showing the certificate's contents.

Step 7 would then be either to go ahead and use Pidgin if the 
certificate passes muster; or, delete the certificate file if it seems 
unsafe (alternately, for the no-trust case:  within Pidgin there's a 
Tools/Certificates user interface having a Delete button - so maybe the 
Pidgin button is preferable to my idea of deleting the certificate file 
directly from the file system).

The Windows tool associated with the ".CER" file extension is called 
"Crypto Shell Extensions" in some places in Windows - useful to know for 
finding it with Google, or for Windows filetype association, or "Open 
With...".

If anyone chooses to follow this, one caution:  the Certificate dialog 
has a button called "Install Certificate...", so it is more than just a 
display tool.  I presume it would copy the certificate into Windows 
somewhere.  Doesn't seem to me a good idea to click that particular button.

(P.S.  For anyone who cares, the certificate in question here was due to 
the "gmail.com" versus "talk.google.com" confusion; and I decided it is 
safe to keep the new cert I got.)

With regard to David's response to my original question (his response 
quoted above):  what do you think can be asked on a Forum, given that 
Pidgin doesn't display the information that would be needed for anyone 
on a Forum to provide a sufficient response?  I'm asking this 
rhetorically, but it ought to be pondered, IMHO.  It still would be nice 
if a better certificate viewer were native to Pidgin.  The fact that 
ticket #7034 has not been closed implies I'm not the only one who thinks so.

At the same time, I do understand the range of possible reasons you've 
provided for things remaining status quo.

(By the way, via Google I *did* find some forums with questions about 
whether or not to accept certs when prompted by Pidgin.  None that I 
found had useful answers.  I didn't pursue it vigorously, though.)

Thank you very much for the time and work you put into replying.