[Pidgin] #7566: Pidgin 2.5.2 does not save ssl information

Pidgin trac at pidgin.im
Sun Nov 16 20:44:53 EST 2008


#7566: Pidgin 2.5.2 does not save  ssl information
----------------------------------------+-----------------------------------
 Reporter:  publicunimail               |        Owner:              
     Type:  defect                      |       Status:  new         
Milestone:                              |    Component:  pidgin (gtk)
  Version:  2.5.2                       |   Resolution:              
 Keywords:  security ssl bug important  |  
----------------------------------------+-----------------------------------
Description changed by publicunimail:

Old description:

> Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
> after i accept an ssl certificate for talk.gmail.com (common name
> goolgle.com) or for various irc ssl connections, on disconnect or
> reopening pidgin it will prompt me to accept the same certificate again.
> This means that ssl verification on these connections is not really able
> to be used. Unless you store the certificate or are able to confirm that
> certificate you said yes to previously is the same.
>
> This behavior does not occur on debian lenny using the 2.4.3 pidgin which
> they patched re the previous pidgin ssl problem.
>

> I have to note that debian's 2.4.3 also has an issue with gmail.... "The
> certificate presented by "talk.google.com" claims to be from "gmail.com"
> instead.  This could mean that you are not connecting to the service you
> believe you are." That is where a certificate is not from the service you
> are connecting too the certificate is not stored in an "accepted" state.
> However, just to clarify on the irc ssl connections pidgin 2.5.2 will
> prompt on reconnect / reopen of pidgin to accept / reject the same
> certificate from the same service it had previously been told to accept.

New description:

 Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
 after i accept an ssl certificate for talk.gmail.com (common name
 goolgle.com) or for various irc ssl connections, on disconnect or
 reopening pidgin it will prompt me to accept the same certificate again.
 This means that ssl verification on these connections is not really able
 to be used. Unless you store the certificate or are able to confirm that
 certificate you said yes to previously is the same.

 This behavior does not occur on debian lenny using the 2.4.3 pidgin which
 they patched re the previous pidgin ssl problem.


 I have to note that debian's 2.4.3 also has an issue with gmail.... "The
 certificate presented by "talk.google.com" claims to be from "gmail.com"
 instead.  This could mean that you are not connecting to the service you
 believe you are." That is where a certificate is not from the service you
 are connecting too the certificate is not stored in an "accepted" state.
 However, just to clarify on the irc ssl connections pidgin 2.5.2 will
 prompt on reconnect / reopen of pidgin to accept / reject the same
 certificate from the same service it had previously been told to accept.
 Perhaps exceptions or multiple certificates can be stored for a given
 service (where they are known not be be from the service you are
 connecting to or it changes between two certificates).

--

-- 
Ticket URL: <http://developer.pidgin.im/ticket/7566#comment:2>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list