[Pidgin] #16625: error due to self signed certificate prevents login
Pidgin
trac at pidgin.im
Wed Apr 8 14:35:00 EDT 2015
#16625: error due to self signed certificate prevents login
-------------------------------------+---------------------------
Reporter: AnonymerGrizzley | Owner: EionRobb
Type: defect | Status: new
Milestone: | Component: unclassified
Version: 2.10.11 | Resolution:
Keywords: SSL, self signed, error |
-------------------------------------+---------------------------
Description changed by AnonymerGrizzley:
Old description:
> Today I updated my server's SSL certificate, because the old one expired.
> Afterwards I couldn't login any more due to the message:[[BR]]
> "Unable to validate certificate[[BR]]
> The certificate for xxx.xxx.xxx could not be validated. Ther certificate
> chain presented is invalid."[[BR]]
>
> Before (with the old certificate) I got a warning that the certificate is
> expired and I could view, accept or reject it. Afterwards I restored the
> old certificate on the server and because I deleted it from the
> certificate list in prosody I couldn't connect any more either and wasn't
> offered the possibility to accept or reject the certificate
> anymore.[[BR]]
> The cerficate in this case was simply generated with
> {{{
> openssl req -new -x509 -days 365 -nodes -out "xxxx.crt" -newkey rsa:2048
> -keyout "xxxx.key"
> }}}
>
> Using prosody's built-in certificate generater resulted in approximately
> the errors. I can post a log for that as well.
>
> I'm using pidgin 2.10.11 (libpurple 2.10.11) on Windows[[BR]]
> And Prosody 0.9.8 on the server side (Ubuntu 12.04 LTS).
>
> Problem is the same with Pidgin 2.10.9 (libpurple 2.10.9) on Ubuntu 14.04
> LTS[[BR]]
>
> The debug log on the client shows:[[BR]]
> {{{
> (20:11:06) account: Connecting to account xx at xxx.xxx.xxx/.
> (20:11:06) connection: Connecting. gc = 075B4C30
> (20:11:06) dnsquery: Performing DNS lookup for 10.0.0.249
> (20:11:06) dnsquery: IP resolved for 10.0.0.249
> (20:11:06) proxy: Attempting connection to 10.0.0.249
> (20:11:06) proxy: Connecting to 10.0.0.249:5222 with no proxy
> (20:11:06) proxy: Connection in progress
> (20:11:06) proxy: Connecting to 10.0.0.249:5222.
> (20:11:06) proxy: Connected to 10.0.0.249:5222.
> (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <?xml version='1.0' ?>
> (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <stream:stream
> to='xxx.xxx.xxx' xmlns='jabber:client'
> xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
> (20:11:06) jabber: Recv (310): <?xml version='1.0'?><stream:stream
> xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
> from='xxx.xxx.xxx' id='dbca8fa2-5afe-40a9-9264-c9382dec1ed5'
> xml:lang='en' xmlns='jabber:client'><stream:features><starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-
> tls'><required/></starttls></stream:features>
> (20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
> (20:11:06) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns
> :xmpp-tls'/>
> (20:11:06) nss: SSL version 3.3 using 256-bit AES with 160-bit SHA1 MAC
> Server Auth: 2048-bit RSA, Key Exchange: 384-bit ECDHE, Compression: NULL
> Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> (20:11:06) nss: subject=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
> Widgits Pty Ltd,ST=Some-State,C=AT
> issuer=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet Widgits Pty Ltd,ST
> =Some-State,C=AT
> (20:11:06) certificate/x509/tls_cached: Starting verify for 10.0.0.249
> (20:11:06) certificate/x509/tls_cached: Checking for cached cert...
> (20:11:06) certificate/x509/tls_cached: ...Not in cache
> (20:11:06) nss: CERT 1. E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
> Widgits Pty Ltd,ST=Some-State,C=AT [Certificate Authority]:
> (20:11:06) nss: ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
> (20:11:06) nss: ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
> (20:11:06) nss: subject name not verified
> (20:11:06) certificate: Failed to verify certificate for 10.0.0.249
> (20:11:06) connection: Connection error on 075B4C30 (reason: 15
> description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
> (20:11:06) account: Disconnecting account xx at xxx.xxx.xxx/ (03603478)
> (20:11:06) connection: Disconnecting connection 075B4C30
> (20:11:06) connection: Destroying connection 075B4C30
> }}}
New description:
Today I updated my server's SSL certificate, because the old one expired.
Afterwards I couldn't login any more due to the message:[[BR]]
"Unable to validate certificate[[BR]]
The certificate for xxx.xxx.xxx could not be validated. Ther certificate
chain presented is invalid."[[BR]]
Before (with the old certificate) I got a warning that the certificate is
expired and I could view, accept or reject it. Afterwards I restored the
old certificate on the server and because I deleted it from the
certificate list in prosody I couldn't connect any more either and wasn't
offered the possibility to accept or reject the certificate anymore.[[BR]]
The certificate in this case was generated with:
{{{
openssl req -new -x509 -days 365 -nodes -out "xxxx.crt" -newkey rsa:2048
-keyout "xxxx.key"
}}}
Using prosody's built-in certificate generator resulted in approximately
the same errors.
I'm using pidgin 2.10.11 (libpurple 2.10.11) on Windows[[BR]]
And Prosody 0.9.8 on the server side (Ubuntu 12.04 LTS).
Problem is the same with Pidgin 2.10.9 (libpurple 2.10.9) on Ubuntu 14.04
LTS[[BR]]
The debug log on the client shows:[[BR]]
{{{
(20:11:06) account: Connecting to account xx at xxx.xxx.xxx/.
(20:11:06) connection: Connecting. gc = 075B4C30
(20:11:06) dnsquery: Performing DNS lookup for 10.0.0.249
(20:11:06) dnsquery: IP resolved for 10.0.0.249
(20:11:06) proxy: Attempting connection to 10.0.0.249
(20:11:06) proxy: Connecting to 10.0.0.249:5222 with no proxy
(20:11:06) proxy: Connection in progress
(20:11:06) proxy: Connecting to 10.0.0.249:5222.
(20:11:06) proxy: Connected to 10.0.0.249:5222.
(20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <?xml version='1.0' ?>
(20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <stream:stream
to='xxx.xxx.xxx' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(20:11:06) jabber: Recv (310): <?xml version='1.0'?><stream:stream
xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
from='xxx.xxx.xxx' id='dbca8fa2-5afe-40a9-9264-c9382dec1ed5' xml:lang='en'
xmlns='jabber:client'><stream:features><starttls
xmlns='urn:ietf:params:xml:ns:xmpp-
tls'><required/></starttls></stream:features>
(20:11:06) jabber: Sending (xx at xxx.xxx.xxx): <starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(20:11:06) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-
tls'/>
(20:11:06) nss: SSL version 3.3 using 256-bit AES with 160-bit SHA1 MAC
Server Auth: 2048-bit RSA, Key Exchange: 384-bit ECDHE, Compression: NULL
Cipher Suite Name: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(20:11:06) nss: subject=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
Widgits Pty Ltd,ST=Some-State,C=AT
issuer=E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet Widgits Pty Ltd,ST
=Some-State,C=AT
(20:11:06) certificate/x509/tls_cached: Starting verify for 10.0.0.249
(20:11:06) certificate/x509/tls_cached: Checking for cached cert...
(20:11:06) certificate/x509/tls_cached: ...Not in cache
(20:11:06) nss: CERT 1. E=unknown at localhost,CN=xxx.xxx.xxx,O=Internet
Widgits Pty Ltd,ST=Some-State,C=AT [Certificate Authority]:
(20:11:06) nss: ERROR -8102: SEC_ERROR_INADEQUATE_KEY_USAGE
(20:11:06) nss: ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
(20:11:06) nss: subject name not verified
(20:11:06) certificate: Failed to verify certificate for 10.0.0.249
(20:11:06) connection: Connection error on 075B4C30 (reason: 15
description: Der SSL-Peer hat ein ungültiges Zertifikat präsentiert)
(20:11:06) account: Disconnecting account xx at xxx.xxx.xxx/ (03603478)
(20:11:06) connection: Disconnecting connection 075B4C30
(20:11:06) connection: Destroying connection 075B4C30
}}}
--
--
Ticket URL: <https://developer.pidgin.im/ticket/16625#comment:3>
Pidgin <https://pidgin.im>
Pidgin
More information about the Tracker
mailing list