[Pidgin] #7566: Pidgin 2.5.2 does not save ssl information
Pidgin
trac at pidgin.im
Mon Nov 17 02:18:15 EST 2008
#7566: Pidgin 2.5.2 does not save ssl information
----------------------------------------+-----------------------------------
Reporter: publicunimail | Owner:
Type: defect | Status: new
Milestone: | Component: pidgin (gtk)
Version: 2.5.2 | Resolution:
Keywords: security ssl bug important |
----------------------------------------+-----------------------------------
Description changed by publicunimail:
Old description:
> Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
> after i accept an ssl certificate for talk.gmail.com (common name
> goolgle.com) or for various irc ssl connections, on disconnect or
> reopening pidgin it will prompt me to accept the same certificate again.
> This means that ssl verification on these connections is not really able
> to be used. Unless you store the certificate or are able to confirm that
> certificate you said yes to previously is the same.
>
> This behavior does not occur on debian lenny using the 2.4.3 pidgin which
> they patched re the previous pidgin ssl problem.
>
> I have to note that debian's 2.4.3 also has an issue with gmail.... "The
> certificate presented by "talk.google.com" claims to be from "gmail.com"
> instead. This could mean that you are not connecting to the service you
> believe you are." That is where a certificate is not from the service you
> are connecting too the certificate is not stored in an "accepted" state.
> However, just to clarify on the irc ssl connections pidgin 2.5.2 will
> prompt on reconnect / reopen of pidgin to accept / reject the same
> certificate from the same service it had previously been told to accept.
> Perhaps exceptions or multiple certificates can be stored for a given
> service (where they are known not be be from the service you are
> connecting to or it changes between two certificates). Also, debian's
> pidgin does not prompt on reconnect within the same instance of accepting
> a given ssl certificate.
New description:
Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
after i accept an ssl certificate for talk.gmail.com (common name
goolgle.com) or for various irc ssl (who have multiple hosts --> multiple
ssl certs ) connections, on disconnect or reopening pidgin it will prompt
me to accept the same certificate again. This means that ssl verification
on these connections is not really able to be used. Unless you store the
certificate or are able to confirm that certificate you said yes to
previously is the same.
--> sorry rechecked behaviour (now confirms to my observations).
The main problem seems to be with gmail and other ssl servers where the
certificate changes or it is not of that service -- > e.g. "The
certificate presented by "talk.google.com" claims to be from "gmail.com"
instead. This could mean that you are not connecting to the service you
believe you are." That is where a certificate is not from the service you
are connecting too the certificate is not stored in an "accepted" state.
Perhaps exceptions or multiple certificates can be stored for a given
service (where they are known not be be from the service you are
connecting to or it changes between two certificates).
--
--
Ticket URL: <http://developer.pidgin.im/ticket/7566#comment:4>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list