Force Pidgin to acept an invalid certificate

Question

I am getting the following error on Pidgin 2.10.10-3.fc20 (libpurple 2.10.10).

How can I force it to accept an invalid certificate?

(According to this bug report it should be capable).

enter image description here

Here's what I have done:

visited the domain on Firefox, and exported the certificate
imported the certificate on Pidgin tools->certificates
Imported the certificate on seahorse (gnome keyring GUI)

Please add the Ubuntu version and the source for this Pidgin version. — A.B., Apr 24 '15 at 14:18
Did you see [this](https://developer.pidgin.im/ticket/6664#comment:9)? Maybe somebody could work with that information... — Byte Commander, Apr 24 '15 at 14:31
@ByteCommander the link you provided is just a proposition mockup. I'd *love* to see it implement, but I'm no developer. — That Brazilian Guy, Apr 24 '15 at 14:42
@A.B. Did you edit the source already? If yes I'll move to something else :) — kos, Apr 24 '15 at 15:05

score 17 · Answer 1 · edited Jan 15 '16 at 10:27

As alternative you can download the ssl certificate by hand. Afterwards pidgin starts without problems. To download the certificate you can use openssl command line utility.

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER

When the above command fails with "no peer certificate available" then maybe the server uses STARTTLS instead of SSL. In this case use the following command:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER -starttls xmpp

Now copy the part beginning with "----BEGIN CERTIFICATE----". If you print the content of the certificate file it looks like the following:

~/.purple/certificates/x509/tls_peers$ cat jabber.ulm.ccc.de 

-----BEGIN CERTIFICATE-----
MIIFXDCCA0QCCQCa5jxvwccm0DANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJE
RTEMMAoGA1UEBxMDVWxtMRUwEwYDVQQLEwxDQ0MgRXJmYSBVbG0xGjAYBgNVBAMT
EWphYmJlci51bG0uY2NjLmRlMSAwHgYJKoZIhvcNAQkBFhFqYWJiZXJAdWxtLmNj
...
3EIpMVk3V1djyj0FEuDaG/o+6BTLCiIMiIUFtbpVz8YZChHbv8ObMJ5JpUIkDfKZ
si1YZKpUYwpVXgTCUml67lArx/sq95OQsDSO3fR1Ch0=
-----END CERTIFICATE-----

Place the file in the directory ~/.purple/certificates/x509/tls_peers/ And it is important that the filename is the DNS name of the jabber server. Therefore if your jabber account is user123@jabber.ulm.ccc.de then you have to create the file: ~/.purple/certificates/x509/tls_peers/jabber.ulm.ccc.de — Martin, May 16 '15 at 16:19
The above comment by @Martin should be included in the answer, as it is very important to make this work. Workaround confirmed on Kubuntu 15.04 with Pidgin 2.10.9 (libpurple 2.10.9). — Bastien, Oct 02 '15 at 11:25

score 11 · Accepted Answer · answered May 05 '15 at 17:52

11

Turns out it there's a bug with certificates in Pidgin 2.10.10 (libpurple 2.10.10):

In version 2.10.10 it's no longer possible to connect to a XMPP server which uses a self signed SSL certificate. The error message is: The certificate for could not be validated. The certificate chain presented is invalid.

The connection is possible if the server certificate is already in the local cache (.purple\certificates\x509\tls_peers). If the certificate is not cached yet (e.g. after a fresh windows/pidgin installation) the connection fails.

Upgrading to 2.10.11 fixes the issue. If you're using an older Ubuntu version like me, you can use the PPA (12.04, 14.04 and 14.10)

answered May 05 '15 at 17:52

That Brazilian Guy

4,010
7
25
43

2

Unfortunatelly, upgrading to `pidgin 2.10.11` in `Ubuntu 15.04` does not help. I've just checked it and see that the problem remains unsolved. – Jacobian Aug 22 '15 at 19:51
@Jacobian Have you upgraded *both* Pidgin and libpurple? – That Brazilian Guy Sep 07 '15 at 15:15
2

Yes, it wouldn't work for me until I removed libpurple: `sudo apt-get remove libpurple0` and then reinstalled `sudo apt-get install pidgin` – EoghanM Nov 25 '15 at 17:55
That feeling, when a year obsolete PPA is 2 versions higher than the official repository. – Hi-Angel Apr 26 '16 at 12:03

score 2 · Answer 3 · edited Jul 16 '15 at 16:40

2

It seems to be important that the name you enter when importing the certificate via Tools→Certificates matches the connect server in the XMPP account configuration. This is the only way I was able to get it to work for the same error.

Connect server and certificate hostname should match

edited Jul 16 '15 at 16:40

Fabby

34,341
38
97
191

answered Jul 13 '15 at 13:15

tobigue

121
4

1

Welcome To Ask Ubuntu! Could you elaborate on that (E.G. Provide an example command)? If it's a good one, and you leave me a note, I'll come back and upvote! **;-)** – Fabby Jul 13 '15 at 21:37
1

@Fabby thanks, I added a Screenshot to make it more clear, no commands needed. – tobigue Jul 16 '15 at 14:05
An edit *and* an up-vote! **;-)** – Fabby Jul 16 '15 at 16:41
After hours spent to resolve `(15:24:43) nss: ERROR -8101: SEC_ERROR_INADEQUATE_CERT_TYPE (15:24:43) nss: subject name not verified` This was the solution!! Thanks!! – matteolel Jan 29 '19 at 15:18

score 2 · Answer 4 · edited Jun 12 '20 at 14:37

2

Another workaround is to import the name of the server specified in the error like myserver.chat.com. For example:

Open the Firefox browser and put the URL: HTTPS://mysever.chat.com, you'll get an error:
Select, Advanced option then Add Exception. A popup for the certificate will open.
Then click Advanced -> Details -> Export
Save the certificate somewhere
Open Pidgin, go to Tools -> Certificates -> Add Now save the certificate with the same common name as the error in the beginning.

Finally, try to reconnect.

edited Jun 12 '20 at 14:37

Community

1

answered Apr 08 '16 at 10:38

Y Melo

181
1
3

If a (working) client on any other machine is available, exporting the certificate from there and importing it again like you described (both using the certificate manager) works also. – bully Jun 01 '16 at 11:27

score 2 · Answer 5 · answered Sep 19 '16 at 13:23

Easy Way,

Close Pidgin
Find your certificates folder (Windows: %appdata%\.purple) (Linux: /home/<Username>/.purple/certificates/x509/tls_peers)
Delete everything in the certificate folder.
Restart pidgin and eventually you should get a new certificate that works.

P.S: Windows users who aren’t familiar with %appdata% just type %appdata%\.purple in your address bar and press enter.

score 1 · Answer 6 · edited Jun 07 '19 at 19:39

1

You can use Pidgin-developers PPA to resolve it. I installed pidgin packages and libpurple from that source and it solved my problem with accessing Lync 2013 resources. Now it can automatically allow certificates (show dialog to accept or reject unknown certificate). Have you tried that? If you used 15.04 there is also a workaround to download a few packages and replace old ones with new. I tested it on 15.04 already, it works.

edited Jun 07 '19 at 19:39

poleguy

135
6

answered Apr 29 '15 at 12:56

user3417815

707
6
15

It would be helpful if you could share what "few packages" to download and what to replace. The catch, is I now have 15.04 and pidgin 2.10.11, but still have this notorious error message about certificates. – Jacobian Aug 22 '15 at 19:56
All these packages in pidgin repo, you'll find them when try to install pidgin and libourple OR you can add pidgin repo with previous distro version to sources.list and do usual install, it will install all dependencies automatically, but please check pidgin PPA, maybe it already have version for vivid – user3417815 Aug 27 '15 at 11:49
Well, messages about certificates still exist in pidgin, but you'll now be able to accept certificate for each session – user3417815 Aug 27 '15 at 11:50
so, if they are already there in the repo, why they are not installed automatically? And can, you, please, name some of these packages, so that I could locate them? And would you be so kind to share how this packages should be installed (separately from pidgin or using ./configure or else?), otherwise "usual install" sounds to vague. – Jacobian Aug 27 '15 at 14:55
As I said it's PPA, but you can check it and probably will find it doesn't have builds especially for 15.04. So if you add it as PPA, you probably won't be able to install any packages from there. Does it make sence? I'm sorry, checked this PPA about month ago, there were still no builds for vivid. – user3417815 Aug 28 '15 at 18:44

score 1 · Answer 7 · answered Sep 07 '16 at 14:23

I was able to get around the certificate issue by manually replacing it with a saved copy a couple of times. Stopped working after that, and upgrading to 2.11 didn't seem to help.

If you build from source, one thing to try is to modify the source code for libpurple/certificates.c ; moving the PURPLE_CERTIFICATE_FATALS_MASK check under the PURPLE_CERTIFICATE_NON_FATALS_MASK check to prompt the user but allow the certificate if accepted. Probably not the safest thing to do, but worked for me.

score 0 · Answer 8 · edited Mar 18 '16 at 05:48

0

Force pidgin to download new certificates.

rm ~/.purple/certificates/x509/tls_peers/*

Close and re-open pidgin.

ls ~/.purple/certificates/x509/tls_peers/*

Now this should list newly downloaded certificates.

edited Mar 18 '16 at 05:48

techraf

3,306
10
26
37

answered Mar 18 '16 at 04:59

Binoy

1
1

Force Pidgin to acept an invalid certificate

8 Answers8