| View previous topic :: View next topic |
| Author |
Message |
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
 Posted: Wed Jan 18, 2017 5:20 pm Post subject: Pidgin SSL Certificate Error with gmail.com |
 |
|
For the last couple of weeks I have been receiving an SSL Ccertificate Error when I try to get pidgin to use my gmail.com account. (XMPP protocol).
| Quote: | Unable to validate certificate
The certificate for gmail.com could not be validated. The certificate chain presented is invalid. |
Any ideas on fixing this? I have tried re-emerging pidgin.
Last edited by jagdpanther on Tue Jan 24, 2017 3:07 pm; edited 2 times in total |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 5327
|
| Posted: Wed Jan 18, 2017 6:03 pm Post subject: |
|
|
Pidgin seems to be having a lot of problems with SSL lately, I couldn't connect to AIM either.
This one's a reported bug with a workaround though: https://developer.pidgin.im/ticket/17118 |
|
| Back to top |
|
|
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
| Posted: Wed Jan 18, 2017 6:19 pm Post subject: |
|
|
Ant P.:
Yes, the workaround in your link fixed the issue.
The command returned three certificates, the first one, "gmail.com" is the one you want to put in a file to load into pidgin after deleting the supplied gmail.com cert. Do both using the pidgin GUI.
Thank you. |
|
| Back to top |
|
|
sphakka
n00b
Joined: 24 Jun 2003
Posts: 72
|
| Posted: Thu Jan 19, 2017 5:36 pm Post subject: |
|
|
| jagdpanther wrote: | three certificates, the first one, "gmail.com" is the one you want to put in a file to load into pidgin after deleting the supplied gmail.com cert. Do both using the pidgin GUI.
|
My pidgin seems not to like the extracted cert... Could you please post the exact procedure? |
|
| Back to top |
|
|
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
| Posted: Thu Jan 19, 2017 7:30 pm Post subject: |
|
|
The following worked for one of my two Gentoo systems. I don't know why it is not working for the second and I still receive the SSL cert error message:
openssl s_client -showcerts -servername gmail.com -connect gmail.com:443
[should spit out about 127 lines]
<ctrl>-c
[copy the first of 3 'certificates' including the begin & end certificate lines
into a file, I called it google.pem -- that certificate should say
CN=gmail.com two lines above the begin certificate line]
In pidin:
tools -> certificates
delete gmail.com
add
select the file you saved above (google.pem in my case)
the 'Specify a hostname' popup should contain gmail.com
quit and restart pidgin
I have a 50% success rate with that procedure with a sample of 2. |
|
| Back to top |
|
|
sphakka
n00b
Joined: 24 Jun 2003
Posts: 72
|
| Posted: Fri Jan 20, 2017 10:02 am Post subject: |
|
|
| jagdpanther wrote: | The following worked for one of my two Gentoo systems. I don't know why it is not working for the second and I still receive the SSL cert error message:
|
Thanks jagdpanther. It looks like I'm in the unlucky 50%  |
|
| Back to top |
|
|
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
| Posted: Tue Jan 24, 2017 3:10 pm Post subject: |
|
|
I removed the "solved" from my title.
Previously the work-around mentioned by Ant P. worked for one of my two Gentoo systems. Now both of my Gentoo systems are having the "Unable to validate certificate" SSL certificate error when I point pidgin at gmail.com. |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3613
Location: Hamburg
|
| Posted: Tue Jan 24, 2017 4:21 pm Post subject: |
|
|
| jagdpanther wrote: | openssl s_client -showcerts -servername gmail.com -connect gmail.com:443
[should spit out about 127 lines]
<ctrl>-c |
pipe output of echo to it, no ctrl-c is needed: | Code: | echo | openssl s_client -showcerts -servername gmail.com -connect gmail.com:443
|
|
|
| Back to top |
|
|
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
| Posted: Wed Jan 25, 2017 3:26 am Post subject: |
|
|
| This is just strange. Using the above work-around now both of my Gentoo systems' Pidgin is working when connected to gmail.com. I wonder how long it will last? |
|
| Back to top |
|
|
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
| Posted: Wed Jan 25, 2017 3:20 pm Post subject: |
|
|
> I wonder how long it will last?
To answer my own question, less than a day. It appears that the gmail.com certificate is changing often and pidgin does not update the certificate.
Today when pidgin failed to connect, and gave the same SSL Certificate error, I again used the work-around and pidgin is working again connecting to gmail.com.
After you grab and save the certificate in a file (I named it gmail.pem) you can use the following command to look at its contents. If you keep multiple versions of the file you can see what changes day to day. (not that this helps to fix the pidgin issue -- it just shows a certificate that changes often)
| Code: | | openssl x509 -in /tmp/gmail.pem -noout -text |
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 13043
|
| Posted: Thu Jan 26, 2017 1:55 am Post subject: |
|
|
It should last until Google changes their certificate. Based on past experience, they seem to rotate the certificates every few weeks.
Note that this workaround completely removes any security associated with the TLS certificate authority design, since you are whitelisting whatever happens to be presented by a machine that claims, without any proof, to be owned by Google. |
|
| Back to top |
|
|
jagdpanther
Guru
Joined: 22 Nov 2003
Posts: 476
|
| Posted: Thu Jan 26, 2017 3:50 am Post subject: |
|
|
| Hu wrote: | | Note that this workaround completely removes any security associated with the TLS certificate authority design, since you are whitelisting whatever happens to be presented by a machine that claims, without any proof, to be owned by Google. |
Hi. Thanks for the reply.
Yes, this workaround is very weak in the security realm. Is there a better fix for the Pidgin / gmail.com SSL Certificate error issue? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 13043
|
| Posted: Thu Jan 26, 2017 5:31 am Post subject: |
|
|
| GMail needs to use certificates that are trusted by your local certificate store. The most likely cause for these failures is that they are using a CA that is not known to be trusted. Find the certificate for that CA, verify it to be legitimate, and trust that, not the individual certificates that GMail is rolling out every few days. |
|
| Back to top |
|
|
ayvango
Tux's lil' helper
Joined: 08 Feb 2012
Posts: 115
|
| Posted: Fri Jan 27, 2017 3:35 pm Post subject: |
|
|
| Quote: | | The most likely cause for these failures is that they are using a CA that is not known to be trusted. Find the certificate for that CA, verify it to be legitimate, and trust that |
How could it be done practically? I have zero previous experience with using gnutls and openssl directly. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 5327
|
| Posted: Sat Jan 28, 2017 8:21 pm Post subject: |
|
|
| Get the CA's certificate as a .pem file, put it in /usr/local/share/ca-certificates, run update-ca-certificates. |
|
| Back to top |
|
|
q-parser
n00b
Joined: 11 Jul 2006
Posts: 42
Location: Slovakia
|
| Posted: Wed Feb 01, 2017 11:58 am Post subject: |
|
|
I retrieved the certificate from the working pidgin on another system and I could not even import it to pidgin in Gentoo. I copied the pem file to ~/.purple/certificates/x509/tls_peers/, pidgin loads it, but it does not work anyway. This is peculiar.
EDIT: I re-emerged pidgin without -gnutls and it works again. The client now downloads the certificate on its own. |
|
| Back to top |
|
|
marcv
n00b
Joined: 25 Feb 2006
Posts: 16
Location: Catalonia
|
| Posted: Fri Feb 03, 2017 12:08 pm Post subject: |
|
|
USE=-gnutls did the trick for me too, without any manual certificate downloading. I get a warning about how the certificate cannot be trusted because it is for gmail.com rather than talk.google.com, which looks like a very reasonable concern to me. Is this a problem on the server side, then?
_________________
blah. |
|
| Back to top |
|
|
dbishop
Tux's lil' helper
Joined: 08 Dec 2007
Posts: 99
|
| Posted: Sun Feb 12, 2017 3:35 pm Post subject: |
|
|
Actually this has been going on for quite a few months now. emerging with -gnutls does make it work. I added the use flag directive my /etc/portage/package.use/pidgin file
| Code: | echo "net-im/pidgin -gnutls" >> /etc/portage/package.use/pidgin
emerge -1 pidgin
|
I have run pidgin from the command line with the -d option and it clearly shows the issue, the certificate cannot be verified:
| Code: | (22:59:59) gnutls/x509: Certificate C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA is issued by C=US,O=Equifax,OU=Equifax Secure Certificate Authority, which does not match C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA.
(22:59:59) gnutls/x509: Certificate C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA is issued by C=US,O=Equifax,OU=Equifax Secure Certificate Authority, which does not match C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA.
(22:59:59) certificate: Failed to verify certificate for gmail.com
(22:59:59) connection: Connection error on 0x21913d0 (reason: 15 description: SSL peer presented an invalid certificate)
(22:59:59) account: Disconnecting account harry@gmail.com/Gaim (0x18dfad0)
(22:59:59) connection: Disconnecting connection 0x21913d0
(22:59:59) connection: Destroying connection 0x21913d0
|
With the -gnutls option set, all is well -- except that whatever gnutls doesn't like is presumably still an actual issue. But, in keeping with modern culture, I believe everything Google and Wikipedia say are truth and goodness.
----
http://bastiat.org/en/the_law.html |
|
| Back to top |
|
|
|
Desktop Environments
