[Pidgin] #7566: Pidgin 2.5.2 does not save ssl information

Pidgin trac at pidgin.im
Tue Nov 18 04:56:08 EST 2008 

#7566: Pidgin 2.5.2 does not save  ssl information
----------------------------------------+-----------------------------------
 Reporter:  publicunimail               |        Owner:              
     Type:  defect                      |       Status:  new         
Milestone:                              |    Component:  pidgin (gtk)
  Version:  2.5.2                       |   Resolution:              
 Keywords:  security ssl bug important  |  
----------------------------------------+-----------------------------------

Old description:

> Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
> after i accept an ssl certificate for talk.gmail.com (common name
> goolgle.com) or for various irc ssl (who have multiple hosts --> multiple
> ssl certs ) connections, on disconnect or reopening pidgin it will prompt
> me to accept the same certificate again. This means that ssl verification
> on these connections is not really able to be used. Unless you store the
> certificate or are able to confirm that certificate you said yes to
> previously is the same.
>

> --> sorry rechecked behaviour (now confirms to my observations).
>
> The main problem seems to be with gmail and other ssl servers where the
> certificate changes or it is not of that service -- > e.g. "The
> certificate presented by "talk.google.com" claims to be from "gmail.com"
> instead.  This could mean that you are not connecting to the service you
> believe you are." That is where a certificate is not from the service you
> are connecting too the certificate is not stored in an "accepted" state.
> Perhaps exceptions or multiple certificates can be stored for a given
> service (where they are known not be be from the service you are
> connecting to or it changes between two certificates).

New description:

 Pidgin 2.5.2 does not save ssl information in a usable fashion. That is,
 after i accept an ssl certificate for talk.gmail.com (common name
 goolgle.com) or for various irc ssl (who have multiple hosts --> multiple
 ssl certs ) connections, on disconnect or reopening pidgin it will prompt
 me to accept the same certificate again. This means that ssl verification
 on these connections is not really able to be used. Unless you store the
 certificate or are able to confirm that certificate you said yes to
 previously is the same.



 --> sorry rechecked behaviour (now confirms to my observations).

 The main problem seems to be with gmail and other ssl servers where the
 certificate changes or it is not of that service -- > e.g. "The
 certificate presented by "talk.google.com" claims to be from "gmail.com"
 instead.  This could mean that you are not connecting to the service you
 believe you are." That is where a certificate is not from the service you
 are connecting too the certificate is not stored in an "accepted" state.
 Perhaps exceptions or multiple certificates can be stored for a given
 service (where they are known not be be from the service you are
 connecting to or it changes between two certificates).

--

Comment(by publicunimail):

 Replying to [comment:5 deryni]:
 > If you are getting that error with Google Talk itself it almost
 certainly means you have a Connect Server specified for your Google Talk
 account (something which you should not need unless your DNS server is
 unable to serve SRV records). If you remove the connect server that error
 should go away.
 >
 > I can't speak to the other parts of this ticket.
 >
 > Also, might I suggest that in the future you add comments to your
 tickets rather than continually editing the description (for things other
 than errors in the original submission of course). It makes the emails
 easier to read and follow and leaves a more obvious trail in the ticket.

 Fair enough (for the comments to the ticket). Right so you are saying i
 have a connect server specified ... well no i don't its just
 talk.google.com port 5222 with the domain set as gmail.com .. just like
 pidgin sets it up... my dns does do srv ...i think...

 ;; QUESTION SECTION:
 ;_jabber._tcp.google.com.       IN      SRV

 ;; ANSWER SECTION:
 _jabber._tcp.google.com. 900    IN      SRV     20 0 5269 xmpp-
 server1.l.google.com.
 _jabber._tcp.google.com. 900    IN      SRV     20 0 5269 xmpp-
 server2.l.google.com.
 _jabber._tcp.google.com. 900    IN      SRV     20 0 5269 xmpp-
 server3.l.google.com.
 _jabber._tcp.google.com. 900    IN      SRV     20 0 5269 xmpp-
 server4.l.google.com.
 _jabber._tcp.google.com. 900    IN      SRV     5 0 5269 xmpp-
 server.l.google.com.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/7566#comment:6>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list