[Pidgin] #16625: error due to self signed certificate prevents login

Pidgin trac at pidgin.im
Wed Apr 8 14:33:33 EDT 2015 

#16625: error due to self signed certificate prevents login
-------------------------------------+---------------------------
 Reporter:  AnonymerGrizzley         |       Owner:  EionRobb
     Type:  defect                   |      Status:  new
Milestone:                           |   Component:  unclassified
  Version:  2.10.11                  |  Resolution:
 Keywords:  SSL, self signed, error  |
-------------------------------------+---------------------------
Description changed by AnonymerGrizzley:

Old description:

> Today I updated my server's SSL certificate, because the old one expired.
> Afterwards I couldn't login any more due to the message:[[BR]]
> "Unable to validate certificate[[BR]]
> The certificate for xxx.xxx.xxx could not be validated. Ther certificate
> chain presented is invalid."[[BR]]
>
> Before (with the old certificate) I got a warning that the certificate is
> expired and I could view, accept or reject it. Afterwards I restored the
> old certificate on the server and because I deleted it from the
> certificate list in prosody I couldn't connect any more either and wasn't
> offered the possibility to accept or reject the certificate
> anymore.[[BR]]
>

> I'm using pidgin 2.10.11 (libpurple 2.10.11)[[BR]]
> And Prosody 0.9.8 on the server side.
>
> Problem is the same with Pidgin 2.10.9 (libpurple 2.10.9)
>
> The debug log on the client shows:[[BR]]
> {{{
> (20:11:06) account: Connecting to account xx at xxx.xxx.xxx/.
> (20:11:06) connection: Connecting. gc = 075B4C30
> (20:11:06) dnsquery: Performing DNS lookup for 10.0.0.249
> (20:11:06) dnsquery: IP resolved for 10.0.0.249
> (20:11:06) proxy: Attempting connection to 10.0.0.249
> (20:11:06) proxy: Connecting to 10.0.0.249:5222 with no proxy
> (20:11:06) proxy: Connection in progress
> (20:11:06) proxy: Connecting to 10.0.0.249:5222.
> (20:11:06) proxy: Connected to 10.0.0.249:5222.
> (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <?xml version='1.0' ?>
> (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <stream:stream
> to='xxx.xxx.xxx' xmlns='jabber:client'
> xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
> (20:11:06) jabber: Recv (310): <?xml version='1.0'?><stream:stream
> xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
> from='xxx.xxx.xxx' id='dbca8fa2-5afe-40a9-9264-c9382dec1ed5'
> xml:lang='en' xmlns='jabber:client'><stream:features><starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-
> tls'><required/></starttls></stream:features>
> (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
> (20:11:06) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns
> :xmpp-tls'/>
> (20:11:06) nss: SSL version 3.3 using 256-bit AES with 160-bit SHA1 MAC
> Server Auth: 2048-bit RSA, Key Exchange: 384-bit ECDHE, Compression: NULL
> Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> (20:11:06) nss: subject=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
> Widgits Pty Ltd,ST=Some-State,C=AT
> issuer=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet Widgits Pty Ltd,ST
> =Some-State,C=AT
> (20:11:06) certificate/x509/tls_cached: Starting verify for 10.0.0.249
> (20:11:06) certificate/x509/tls_cached: Checking for cached cert...
> (20:11:06) certificate/x509/tls_cached: ...Not in cache
> (20:11:06) nss: CERT 1. E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
> Widgits Pty Ltd,ST=Some-State,C=AT [Certificate Authority]:
> (20:11:06) nss:   ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
> (20:11:06) nss:   ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
> (20:11:06) nss: subject name not verified
> (20:11:06) certificate: Failed to verify certificate for 10.0.0.249
> (20:11:06) connection: Connection error on 075B4C30 (reason: 15
> description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
> (20:11:06) account: Disconnecting account xx at xxx.xxx.xxx/ (03603478)
> (20:11:06) connection: Disconnecting connection 075B4C30
> (20:11:06) connection: Destroying connection 075B4C30
> }}}

New description:

 Today I updated my server's SSL certificate, because the old one expired.
 Afterwards I couldn't login any more due to the message:[[BR]]
 "Unable to validate certificate[[BR]]
 The certificate for xxx.xxx.xxx could not be validated. Ther certificate
 chain presented is invalid."[[BR]]

 Before (with the old certificate) I got a warning that the certificate is
 expired and I could view, accept or reject it. Afterwards I restored the
 old certificate on the server and because I deleted it from the
 certificate list in prosody I couldn't connect any more either and wasn't
 offered the possibility to accept or reject the certificate anymore.[[BR]]
 The cerficate in this case was simply generated with
 {{{
 openssl req -new -x509 -days 365 -nodes -out "xxxx.crt" -newkey rsa:2048
 -keyout "xxxx.key"
 }}}

 Using prosody's built-in certificate generater resulted in approximately
 the errors. I can post a log for that as well.

 I'm using pidgin 2.10.11 (libpurple 2.10.11) on Windows[[BR]]
 And Prosody 0.9.8 on the server side (Ubuntu 12.04 LTS).

 Problem is the same with Pidgin 2.10.9 (libpurple 2.10.9) on Ubuntu 14.04
 LTS[[BR]]

 The debug log on the client shows:[[BR]]
 {{{
 (20:11:06) account: Connecting to account xx at xxx.xxx.xxx/.
 (20:11:06) connection: Connecting. gc = 075B4C30
 (20:11:06) dnsquery: Performing DNS lookup for 10.0.0.249
 (20:11:06) dnsquery: IP resolved for 10.0.0.249
 (20:11:06) proxy: Attempting connection to 10.0.0.249
 (20:11:06) proxy: Connecting to 10.0.0.249:5222 with no proxy
 (20:11:06) proxy: Connection in progress
 (20:11:06) proxy: Connecting to 10.0.0.249:5222.
 (20:11:06) proxy: Connected to 10.0.0.249:5222.
 (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <?xml version='1.0' ?>
 (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <stream:stream
 to='xxx.xxx.xxx' xmlns='jabber:client'
 xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
 (20:11:06) jabber: Recv (310): <?xml version='1.0'?><stream:stream
 xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
 from='xxx.xxx.xxx' id='dbca8fa2-5afe-40a9-9264-c9382dec1ed5' xml:lang='en'
 xmlns='jabber:client'><stream:features><starttls
 xmlns='urn:ietf:params:xml:ns:xmpp-
 tls'><required/></starttls></stream:features>
 (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <starttls
 xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
 (20:11:06) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-
 tls'/>
 (20:11:06) nss: SSL version 3.3 using 256-bit AES with 160-bit SHA1 MAC
 Server Auth: 2048-bit RSA, Key Exchange: 384-bit ECDHE, Compression: NULL
 Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 (20:11:06) nss: subject=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
 Widgits Pty Ltd,ST=Some-State,C=AT
 issuer=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet Widgits Pty Ltd,ST
 =Some-State,C=AT
 (20:11:06) certificate/x509/tls_cached: Starting verify for 10.0.0.249
 (20:11:06) certificate/x509/tls_cached: Checking for cached cert...
 (20:11:06) certificate/x509/tls_cached: ...Not in cache
 (20:11:06) nss: CERT 1. E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
 Widgits Pty Ltd,ST=Some-State,C=AT [Certificate Authority]:
 (20:11:06) nss:   ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
 (20:11:06) nss:   ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
 (20:11:06) nss: subject name not verified
 (20:11:06) certificate: Failed to verify certificate for 10.0.0.249
 (20:11:06) connection: Connection error on 075B4C30 (reason: 15
 description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
 (20:11:06) account: Disconnecting account xx at xxx.xxx.xxx/ (03603478)
 (20:11:06) connection: Disconnecting connection 075B4C30
 (20:11:06) connection: Destroying connection 075B4C30
 }}}

--

--
Ticket URL: <https://developer.pidgin.im/ticket/16625#comment:2>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list