[Pidgin] #7566: Pidgin 2.5.2 does not save ssl information

Pidgin trac at pidgin.im
Mon Nov 17 02:18:15 EST 2008


#7566: Pidgin 2.5.2 does not save  ssl information
----------------------------------------+-----------------------------------
 Reporter:  publicunimail               |        Owner:              
     Type:  defect                      |       Status:  new         
Milestone:                              |    Component:  pidgin (gtk)
  Version:  2.5.2                       |   Resolution:              
 Keywords:  security ssl bug important  |  
----------------------------------------+-----------------------------------
Description changed by publicunimail:

Old description:

> Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
> after i accept an ssl certificate for talk.gmail.com (common name
> goolgle.com) or for various irc ssl connections, on disconnect or
> reopening pidgin it will prompt me to accept the same certificate again.
> This means that ssl verification on these connections is not really able
> to be used. Unless you store the certificate or are able to confirm that
> certificate you said yes to previously is the same.
>
> This behavior does not occur on debian lenny using the 2.4.3 pidgin which
> they patched re the previous pidgin ssl problem.
>

> I have to note that debian's 2.4.3 also has an issue with gmail.... "The
> certificate presented by "talk.google.com" claims to be from "gmail.com"
> instead.  This could mean that you are not connecting to the service you
> believe you are." That is where a certificate is not from the service you
> are connecting too the certificate is not stored in an "accepted" state.
> However, just to clarify on the irc ssl connections pidgin 2.5.2 will
> prompt on reconnect / reopen of pidgin to accept / reject the same
> certificate from the same service it had previously been told to accept.
> Perhaps exceptions or multiple certificates can be stored for a given
> service (where they are known not be be from the service you are
> connecting to or it changes between two certificates). Also, debian's
> pidgin does not prompt on reconnect within the same instance of accepting
> a given ssl certificate.

New description:

 Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
 after i accept an ssl certificate for talk.gmail.com (common name
 goolgle.com) or for various irc ssl (who have multiple hosts --> multiple
 ssl certs ) connections, on disconnect or reopening pidgin it will prompt
 me to accept the same certificate again. This means that ssl verification
 on these connections is not really able to be used. Unless you store the
 certificate or are able to confirm that certificate you said yes to
 previously is the same.


 --> sorry rechecked behaviour (now confirms to my observations).

 The main problem seems to be with gmail and other ssl servers where the
 certificate changes or it is not of that service -- > e.g. "The
 certificate presented by "talk.google.com" claims to be from "gmail.com"
 instead.  This could mean that you are not connecting to the service you
 believe you are." That is where a certificate is not from the service you
 are connecting too the certificate is not stored in an "accepted" state.
 Perhaps exceptions or multiple certificates can be stored for a given
 service (where they are known not be be from the service you are
 connecting to or it changes between two certificates).

--

-- 
Ticket URL: <http://developer.pidgin.im/ticket/7566#comment:4>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list