Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Pidgin SSL Certificate Error with gmail.com
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Wed Jan 18, 2017 5:20 pm    Post subject: Pidgin SSL Certificate Error with gmail.com Reply with quote

For the last couple of weeks I have been receiving an SSL Ccertificate Error when I try to get pidgin to use my gmail.com account. (XMPP protocol).
Quote:
Unable to validate certificate
The certificate for gmail.com could not be validated. The certificate chain presented is invalid.


Any ideas on fixing this? I have tried re-emerging pidgin.


Last edited by jagdpanther on Tue Jan 24, 2017 3:07 pm; edited 2 times in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5327

PostPosted: Wed Jan 18, 2017 6:03 pm    Post subject: Reply with quote

Pidgin seems to be having a lot of problems with SSL lately, I couldn't connect to AIM either.

This one's a reported bug with a workaround though: https://developer.pidgin.im/ticket/17118
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Wed Jan 18, 2017 6:19 pm    Post subject: Reply with quote

Ant P.:

Yes, the workaround in your link fixed the issue.

The command returned three certificates, the first one, "gmail.com" is the one you want to put in a file to load into pidgin after deleting the supplied gmail.com cert. Do both using the pidgin GUI.

Thank you.
Back to top
View user's profile Send private message
sphakka
n00b
n00b


Joined: 24 Jun 2003
Posts: 72

PostPosted: Thu Jan 19, 2017 5:36 pm    Post subject: Reply with quote

jagdpanther wrote:
three certificates, the first one, "gmail.com" is the one you want to put in a file to load into pidgin after deleting the supplied gmail.com cert. Do both using the pidgin GUI.


My pidgin seems not to like the extracted cert... Could you please post the exact procedure?
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Thu Jan 19, 2017 7:30 pm    Post subject: Reply with quote

The following worked for one of my two Gentoo systems. I don't know why it is not working for the second and I still receive the SSL cert error message:

openssl s_client -showcerts -servername gmail.com -connect gmail.com:443
[should spit out about 127 lines]
<ctrl>-c
[copy the first of 3 'certificates' including the begin & end certificate lines
into a file, I called it google.pem -- that certificate should say
CN=gmail.com two lines above the begin certificate line]
In pidin:
tools -> certificates
delete gmail.com
add
select the file you saved above (google.pem in my case)
the 'Specify a hostname' popup should contain gmail.com
quit and restart pidgin

I have a 50% success rate with that procedure with a sample of 2.
Back to top
View user's profile Send private message
sphakka
n00b
n00b


Joined: 24 Jun 2003
Posts: 72

PostPosted: Fri Jan 20, 2017 10:02 am    Post subject: Reply with quote

jagdpanther wrote:
The following worked for one of my two Gentoo systems. I don't know why it is not working for the second and I still receive the SSL cert error message:


Thanks jagdpanther. It looks like I'm in the unlucky 50% :-(
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Tue Jan 24, 2017 3:10 pm    Post subject: Reply with quote

I removed the "solved" from my title.
Previously the work-around mentioned by Ant P. worked for one of my two Gentoo systems. Now both of my Gentoo systems are having the "Unable to validate certificate" SSL certificate error when I point pidgin at gmail.com.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3613
Location: Hamburg

PostPosted: Tue Jan 24, 2017 4:21 pm    Post subject: Reply with quote

jagdpanther wrote:
openssl s_client -showcerts -servername gmail.com -connect gmail.com:443
[should spit out about 127 lines]
<ctrl>-c
pipe output of echo to it, no ctrl-c is needed:
Code:
echo | openssl s_client -showcerts -servername gmail.com -connect gmail.com:443
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Wed Jan 25, 2017 3:26 am    Post subject: Reply with quote

This is just strange. Using the above work-around now both of my Gentoo systems' Pidgin is working when connected to gmail.com. I wonder how long it will last?
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Wed Jan 25, 2017 3:20 pm    Post subject: Reply with quote

> I wonder how long it will last?

To answer my own question, less than a day. It appears that the gmail.com certificate is changing often and pidgin does not update the certificate.

Today when pidgin failed to connect, and gave the same SSL Certificate error, I again used the work-around and pidgin is working again connecting to gmail.com.

After you grab and save the certificate in a file (I named it gmail.pem) you can use the following command to look at its contents. If you keep multiple versions of the file you can see what changes day to day. (not that this helps to fix the pidgin issue -- it just shows a certificate that changes often)

Code:
openssl x509 -in /tmp/gmail.pem -noout -text
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13043

PostPosted: Thu Jan 26, 2017 1:55 am    Post subject: Reply with quote

It should last until Google changes their certificate. Based on past experience, they seem to rotate the certificates every few weeks.

Note that this workaround completely removes any security associated with the TLS certificate authority design, since you are whitelisting whatever happens to be presented by a machine that claims, without any proof, to be owned by Google.
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 476

PostPosted: Thu Jan 26, 2017 3:50 am    Post subject: Reply with quote

Hu wrote:
Note that this workaround completely removes any security associated with the TLS certificate authority design, since you are whitelisting whatever happens to be presented by a machine that claims, without any proof, to be owned by Google.


Hi. Thanks for the reply.

Yes, this workaround is very weak in the security realm. Is there a better fix for the Pidgin / gmail.com SSL Certificate error issue?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13043

PostPosted: Thu Jan 26, 2017 5:31 am    Post subject: Reply with quote

GMail needs to use certificates that are trusted by your local certificate store. The most likely cause for these failures is that they are using a CA that is not known to be trusted. Find the certificate for that CA, verify it to be legitimate, and trust that, not the individual certificates that GMail is rolling out every few days.
Back to top
View user's profile Send private message
ayvango
Tux's lil' helper
Tux's lil' helper


Joined: 08 Feb 2012
Posts: 115

PostPosted: Fri Jan 27, 2017 3:35 pm    Post subject: Reply with quote

Quote:
The most likely cause for these failures is that they are using a CA that is not known to be trusted. Find the certificate for that CA, verify it to be legitimate, and trust that


How could it be done practically? I have zero previous experience with using gnutls and openssl directly.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5327

PostPosted: Sat Jan 28, 2017 8:21 pm    Post subject: Reply with quote

Get the CA's certificate as a .pem file, put it in /usr/local/share/ca-certificates, run update-ca-certificates.
Back to top
View user's profile Send private message
q-parser
n00b
n00b


Joined: 11 Jul 2006
Posts: 42
Location: Slovakia

PostPosted: Wed Feb 01, 2017 11:58 am    Post subject: Reply with quote

I retrieved the certificate from the working pidgin on another system and I could not even import it to pidgin in Gentoo. I copied the pem file to ~/.purple/certificates/x509/tls_peers/, pidgin loads it, but it does not work anyway. This is peculiar.

EDIT: I re-emerged pidgin without -gnutls and it works again. The client now downloads the certificate on its own.
Back to top
View user's profile Send private message
marcv
n00b
n00b


Joined: 25 Feb 2006
Posts: 16
Location: Catalonia

PostPosted: Fri Feb 03, 2017 12:08 pm    Post subject: Reply with quote

USE=-gnutls did the trick for me too, without any manual certificate downloading. I get a warning about how the certificate cannot be trusted because it is for gmail.com rather than talk.google.com, which looks like a very reasonable concern to me. Is this a problem on the server side, then?
_________________
blah.
Back to top
View user's profile Send private message
dbishop
Tux's lil' helper
Tux's lil' helper


Joined: 08 Dec 2007
Posts: 99

PostPosted: Sun Feb 12, 2017 3:35 pm    Post subject: Reply with quote

Actually this has been going on for quite a few months now. emerging with -gnutls does make it work. I added the use flag directive my /etc/portage/package.use/pidgin file

Code:
echo "net-im/pidgin -gnutls" >> /etc/portage/package.use/pidgin
emerge -1 pidgin


I have run pidgin from the command line with the -d option and it clearly shows the issue, the certificate cannot be verified:

Code:
(22:59:59) gnutls/x509: Certificate C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA is issued by C=US,O=Equifax,OU=Equifax Secure Certificate Authority, which does not match C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA.
(22:59:59) gnutls/x509: Certificate C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA is issued by C=US,O=Equifax,OU=Equifax Secure Certificate Authority, which does not match C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA.
(22:59:59) certificate: Failed to verify certificate for gmail.com
(22:59:59) connection: Connection error on 0x21913d0 (reason: 15 description: SSL peer presented an invalid certificate)
(22:59:59) account: Disconnecting account harry@gmail.com/Gaim (0x18dfad0)
(22:59:59) connection: Disconnecting connection 0x21913d0
(22:59:59) connection: Destroying connection 0x21913d0

With the -gnutls option set, all is well -- except that whatever gnutls doesn't like is presumably still an actual issue. But, in keeping with modern culture, I believe everything Google and Wikipedia say are truth and goodness.

----
http://bastiat.org/en/the_law.html
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum