SSL security concern
David Woolley
forums at david-woolley.me.uk
Sun Sep 22 18:39:21 EDT 2013
On 22/09/13 21:26, skyper wrote:
>
> 1. Which ROOT CA storage does pidgin use to authenticate a server side
> SSL certificate?
See ./configure --help. At a quick scan, it looks like it uses its own
set of root certificates by default. The default will depend on the OS,
at least to some extent. On Debian, it looks like the default is
/usr/share/purple/ca-certs.
If you didn't compile it yourself, the choices made by the packager may
differ from the build system defaults.
>
> 2. How can I configure pidgin to use one (and just one; exclusive) ROOT
> CA storage (or single certificate) and ignore all other system-wide root
> certs without having to recompile the source?
On that reading. If it has been compiled to use its own certificates,
delete the other certificates. Again, on the above reading, this will
be a global change for all libpurple clients. If it has been compiled to
use a system directory, your caveat cannot be met.
>
> 3. How can I harden pidgin to fail connecting to the jabber server if
> SSL trust can not be established? I do not want to see any warning that
> the SSL cert can not be authenticated or the user being asked if he
> trusts the certificate manually.
That goes against the general philosophy of open source clients, that
the user should be assumed to be responsible. My guess is that this not
only requires recompiling, but also requires source code changes.
Please note I'm not an expert on this. I'm just going on a very quick
scan of the configure script, and the general design philosophy of open
source client software.
More information about the Support
mailing list