[Pidgin] #16625: error due to self signed certificate prevents login

Wed Apr 8 14:25:39 EDT 2015

#16625: error due to self signed certificate prevents login
------------------------------+--------------------------
 Reporter:  AnonymerGrizzley  |      Owner:  EionRobb
     Type:  defect            |     Status:  new
Milestone:                    |  Component:  unclassified
  Version:  2.10.11           |   Keywords:
------------------------------+--------------------------
 Today I updated my server's SSL certificate, because the old one expired.
 Afterwards I couldn't login any more due to the message:[[BR]]
 "Unable to validate certificate[[BR]]
 The certificate for xxx.xxx.xxx could not be validated. Ther certificate
 chain presented is invalid."[[BR]]

 Before (with the old certificate) I got a warning that the certificate is
 expired and I could view, accept or reject it. Afterwards I restored the
 old certificate on the server and because I deleted it from the
 certificate list in prosody I couldn't connect any more either and wasn't
 offered the possibility to accept or reject the certificate anymore.[[BR]]

 I'm using pidgin 2.10.11 (libpurple 2.10.11)[[BR]]
 And Prosody 0.9.8 on the server side.

 Problem is the same with Pidgin 2.10.9 (libpurple 2.10.9)

 The debug log on the client shows:[[BR]]
 {{{
 (20:11:06) account: Connecting to account xx at xxx.xxx.xxx/.
 (20:11:06) connection: Connecting. gc = 075B4C30
 (20:11:06) dnsquery: Performing DNS lookup for 10.0.0.249
 (20:11:06) dnsquery: IP resolved for 10.0.0.249
 (20:11:06) proxy: Attempting connection to 10.0.0.249
 (20:11:06) proxy: Connecting to 10.0.0.249:5222 with no proxy
 (20:11:06) proxy: Connection in progress
 (20:11:06) proxy: Connecting to 10.0.0.249:5222.
 (20:11:06) proxy: Connected to 10.0.0.249:5222.
 (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <?xml version='1.0' ?>
 (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <stream:stream
 to='xxx.xxx.xxx' xmlns='jabber:client'
 xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
 (20:11:06) jabber: Recv (310): <?xml version='1.0'?><stream:stream
 xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
 from='xxx.xxx.xxx' id='dbca8fa2-5afe-40a9-9264-c9382dec1ed5' xml:lang='en'
 xmlns='jabber:client'><stream:features><starttls
 xmlns='urn:ietf:params:xml:ns:xmpp-
 tls'><required/></starttls></stream:features>
 (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <starttls
 xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
 (20:11:06) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-
 tls'/>
 (20:11:06) nss: SSL version 3.3 using 256-bit AES with 160-bit SHA1 MAC
 Server Auth: 2048-bit RSA, Key Exchange: 384-bit ECDHE, Compression: NULL
 Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 (20:11:06) nss: subject=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
 Widgits Pty Ltd,ST=Some-State,C=AT
 issuer=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet Widgits Pty Ltd,ST
 =Some-State,C=AT
 (20:11:06) certificate/x509/tls_cached: Starting verify for 10.0.0.249
 (20:11:06) certificate/x509/tls_cached: Checking for cached cert...
 (20:11:06) certificate/x509/tls_cached: ...Not in cache
 (20:11:06) nss: CERT 1. E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
 Widgits Pty Ltd,ST=Some-State,C=AT [Certificate Authority]:
 (20:11:06) nss:   ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
 (20:11:06) nss:   ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
 (20:11:06) nss: subject name not verified
 (20:11:06) certificate: Failed to verify certificate for 10.0.0.249
 (20:11:06) connection: Connection error on 075B4C30 (reason: 15
 description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
 (20:11:06) account: Disconnecting account xx at xxx.xxx.xxx/ (03603478)
 (20:11:06) connection: Disconnecting connection 075B4C30
 (20:11:06) connection: Destroying connection 075B4C30
 }}}

--
Ticket URL: <https://developer.pidgin.im/ticket/16625>
Pidgin <https://pidgin.im>
Pidgin