[Pidgin] #16412: Unable to connect to XMPP servers using self signed certificates

Pidgin trac at pidgin.im
Thu Oct 30 04:49:03 EDT 2014 

#16412: Unable to connect to XMPP servers using self signed certificates
-----------------------+---------------------
 Reporter:  skyserver  |       Owner:  deryni
     Type:  defect     |      Status:  new
Milestone:             |   Component:  XMPP
  Version:  2.10.10    |  Resolution:
 Keywords:             |
-----------------------+---------------------
Description changed by skyserver:

Old description:

> In version 2.10.10 it's no longer possible to connect to a XMPP server
> which uses a self signed SSL certificate.
> The error message is:
> ''The certificate for <domain> could not be validated. The certificate
> chain presented is invalid.''
>
> The connection is possible if the server certificate is already in the
> local cache (\.purple\certificates\x509\tls_peers). If the certificate is
> not cached yet (e.g. after a fresh windows/pidgin installation) the
> connection fails.
>
> My test case was a Openfire 3.9.3 server using the default self signed
> certificates created after installation.
>
> My be the same error as ticket #16410.
>

> {{{
> (09:26:08) account: Connecting to account admin at debian/.
> (09:26:08) connection: Connecting. gc = 055874A8
> (09:26:08) dnssrv: querying SRV record for debian: _xmpp-
> client._tcp.debian
> (09:26:08) dnssrv: Couldn't look up SRV record. Der DNS-Name ist nicht
> vorhanden. (9003).
> (09:26:08) dnsquery: Performing DNS lookup for debian
> (09:26:08) dnsquery: IP resolved for debian
> (09:26:08) proxy: Attempting connection to 192.168.0.66
> (09:26:08) proxy: Connecting to debian:5222 with no proxy
> (09:26:08) proxy: Connection in progress
> (09:26:08) proxy: Connecting to debian:5222.
> (09:26:08) proxy: Connected to debian:5222.
> (09:26:08) jabber: Sending (admin at debian): <?xml version='1.0' ?>
> (09:26:08) jabber: Sending (admin at debian): <stream:stream to='debian'
> xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
> version='1.0'>
> (09:26:08) jabber: Recv (179): <?xml version='1.0'
> encoding='UTF-8'?><stream:stream
> xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"
> from="debian" id="6c834f07" xml:lang="en" version="1.0">
> (09:26:08) jabber: Recv (486): <stream:features><starttls
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms
> xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-
> MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism
> >CRAM-MD5</mechanism></mechanisms><compression
> xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth
> xmlns="http://jabber.org/features/iq-auth"/><register
> xmlns="http://jabber.org/features/iq-register"/></stream:features>
> (09:26:08) jabber: Sending (admin at debian): <starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
> (09:26:08) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns
> :xmpp-tls"/>
> (09:26:08) nss: SSL version 3.3 using 128-bit AES with 160-bit SHA1 MAC
> Server Auth: 2048-bit RSA, Key Exchange: 768-bit DHE, Compression: NULL
> Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> (09:26:08) nss: subject=CN=debian issuer=CN=debian
> (09:26:08) certificate/x509/tls_cached: Starting verify for debian
> (09:26:08) certificate/x509/tls_cached: Checking for cached cert...
> (09:26:08) certificate/x509/tls_cached: ...Not in cache
> (09:26:08) nss: CERT 1. CN=debian [Certificate Authority]:
> (09:26:08) nss:   ERROR -8156: SEC_ERROR_CA_CERT_INVALID
> (09:26:08) nss:   ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
> (09:26:08) certificate: Failed to verify certificate for debian
> (09:26:08) connection: Connection error on 055874A8 (reason: 15
> description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
> (09:26:08) account: Disconnecting account admin at debian/ (0292E448)
> (09:26:08) connection: Disconnecting connection 055874A8
> (09:26:08) connection: Destroying connection 055874A8
> }}}

New description:

 In version 2.10.10 it's no longer possible to connect to a XMPP server
 which uses a self signed SSL certificate.
 The error message is:
 ''The certificate for <domain> could not be validated. The certificate
 chain presented is invalid.''

 The connection is possible if the server certificate is already in the
 local cache (\.purple\certificates\x509\tls_peers). If the certificate is
 not cached yet (e.g. after a fresh windows/pidgin installation) the
 connection fails.

 My test case was a Openfire 3.9.3 server using the default self signed
 certificates created after installation.



 {{{
 (09:26:08) account: Connecting to account admin at debian/.
 (09:26:08) connection: Connecting. gc = 055874A8
 (09:26:08) dnssrv: querying SRV record for debian: _xmpp-
 client._tcp.debian
 (09:26:08) dnssrv: Couldn't look up SRV record. Der DNS-Name ist nicht
 vorhanden. (9003).
 (09:26:08) dnsquery: Performing DNS lookup for debian
 (09:26:08) dnsquery: IP resolved for debian
 (09:26:08) proxy: Attempting connection to 192.168.0.66
 (09:26:08) proxy: Connecting to debian:5222 with no proxy
 (09:26:08) proxy: Connection in progress
 (09:26:08) proxy: Connecting to debian:5222.
 (09:26:08) proxy: Connected to debian:5222.
 (09:26:08) jabber: Sending (admin at debian): <?xml version='1.0' ?>
 (09:26:08) jabber: Sending (admin at debian): <stream:stream to='debian'
 xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
 version='1.0'>
 (09:26:08) jabber: Recv (179): <?xml version='1.0'
 encoding='UTF-8'?><stream:stream
 xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"
 from="debian" id="6c834f07" xml:lang="en" version="1.0">
 (09:26:08) jabber: Recv (486): <stream:features><starttls
 xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms
 xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-
 MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism
 >CRAM-MD5</mechanism></mechanisms><compression
 xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth
 xmlns="http://jabber.org/features/iq-auth"/><register
 xmlns="http://jabber.org/features/iq-register"/></stream:features>
 (09:26:08) jabber: Sending (admin at debian): <starttls
 xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
 (09:26:08) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-
 tls"/>
 (09:26:08) nss: SSL version 3.3 using 128-bit AES with 160-bit SHA1 MAC
 Server Auth: 2048-bit RSA, Key Exchange: 768-bit DHE, Compression: NULL
 Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 (09:26:08) nss: subject=CN=debian issuer=CN=debian
 (09:26:08) certificate/x509/tls_cached: Starting verify for debian
 (09:26:08) certificate/x509/tls_cached: Checking for cached cert...
 (09:26:08) certificate/x509/tls_cached: ...Not in cache
 (09:26:08) nss: CERT 1. CN=debian [Certificate Authority]:
 (09:26:08) nss:   ERROR -8156: SEC_ERROR_CA_CERT_INVALID
 (09:26:08) nss:   ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
 (09:26:08) certificate: Failed to verify certificate for debian
 (09:26:08) connection: Connection error on 055874A8 (reason: 15
 description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
 (09:26:08) account: Disconnecting account admin at debian/ (0292E448)
 (09:26:08) connection: Disconnecting connection 055874A8
 (09:26:08) connection: Destroying connection 055874A8
 }}}

--

--
Ticket URL: <https://developer.pidgin.im/ticket/16412#comment:1>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list