Comments (22)
Try removing ~/.purple/certificates/x509/tls_peers/fbcdn-profile-a.akamaihd.net
and see if that fixes it.
from purple-facebook.
@drJeckyll, has your computer got ca-certificates installed? Or whatever the equivalent package is.
from purple-facebook.
@jgeboski: I have no such file
ls -la ~/.purple/certificates/x509/tls_peers/fbcdn-*
ls: cannot access /root/.purple/certificates/x509/tls_peers/fbcdn-*: No such file or directory
@fangfufu: yes
[ebuild R ] app-misc/ca-certificates-20141019.3.19::gentoo USE="cacert" 0 KiB
from purple-facebook.
I was speaking out of my ass there. I think we're going to have to bundle the ca-certs for Facebook stuff, well at least for fbcdn-profile-a.akamaihd.net
. The other ca-certs are likely already in pidgin.
A temporary solution: USE=-gnutls emerge -v1 pidgin
. This will use OpenSSL instead of GnuTLS, which won't verify.
from purple-facebook.
OK - this works. Thanks
from purple-facebook.
Similar Problem here:
(20:24:24) jabber: Sending ([email protected]): <?xml version='1.0' ?>
(20:24:24) jabber: Sending ([email protected]): <stream:stream to='chat.facebook.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(20:24:24) jabber: Recv (389): <?xml version='1.0' ?><stream:stream from='chat.facebook.com' id='1' version='1.0' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>X-FACEBOOK-PLATFORM</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>
(20:24:24) jabber: Sending ([email protected]): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(20:24:25) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(20:24:25) nss: Handshake failed (-12173)
(20:24:25) connection: Connection error on 0x2295820 (reason: 5 description: SSL-Verhandlung gescheitert)
(20:24:25) account: Disconnecting account [email protected]/ (0xe07d40)
from purple-facebook.
...that's jabber. You're not using this plugin. Switch protocol in account settings from "Facebook (XMPP)" to just "Facebook" to use this plugin. Also change the username. Read the README
from purple-facebook.
@drJeckyll, what distro/OS are you running? I am on Debian Stretch, I am not experiencing the same issue. There is a ~/.purple/certificates/x509/tls_peers/fbcdn-profile-a.akamaihd.net
on my machine.
from purple-facebook.
@fangfufu Gentoo
from purple-facebook.
@dequis thank you! i tried both plugins.
Recompiling from master solves the issues for me and facebook is working again! very happy
Ill go and build a AUR Package
from purple-facebook.
@fangfufu I believe that Pidgin uses its own set of root certificates. @jgeboski just told me that the site in question uses Baltimore CyberTrust Root, which is included.
I'd suggest looking at a debug log of the TLS session negotiation.
I also know that GnuTLS fails to validate certs generated by certain versions of OpenSSL. (As an example, search for issues with Weechat and OFTC.) It'd be interesting to see if this also happens with NSS. Compiling Pidgin with --enable-gnutls=no --enable-nss=yes
with NSS and its headers installed should be all you need.
from purple-facebook.
You should be able to find Pidgin's root certificates in /usr/local/share/purple/ca-certs/
or /usr/share/purple/ca-certs/
depending on your platform and installation method.
from purple-facebook.
When --with-system-ssl-certs
is used (Gentoo uses it), the Baltimore_CyberTrust_Root.pem
CA is not installed to /usr/share/purple/ca-certs
. Even with Baltimore_CyberTrust_Root.pem
being manually installed, the warning still occurs. I can only assume there is some sort of priority ordering with the system SSL path being used before libpurple's.
$ sha1sum /etc/ssl/certs/Baltimore_CyberTrust_Root.pem share/ca-certs/Baltimore_CyberTrust_Root.pem
af85a7fc0168709909e5d9cc2f60609c51c8fec7 /etc/ssl/certs/Baltimore_CyberTrust_Root.pem
c103790503bf8c2ff3f119adee027ebb429b9d21 share/ca-certs/Baltimore_CyberTrust_Root.pem
EDIT: The differing checksums are simply due to differing line endings.
from purple-facebook.
I can only assume there is some sort of priority ordering with the system SSL path being used before libpurple's.
You're right - looking at your debug log, it's using certs in /etc/ssl/certs
before /usr/share/purple/ca-certs
.
from purple-facebook.
I compiled Pidgin with GNUTLS disabled in Gentoo, and it worked.
from purple-facebook.
Yeah, I really have no idea why this is not working. It seems like it might be a pidgin bug.
from purple-facebook.
The "purple-facebook" package is now in Gentoo. No ~/.purple/certificates/x509/tls_peers/fbcdn-profile-a.akamaihd.net exists and the popup spam occurs. Is a fix pending or shall I temporarily depend on net-im/pidgin with the gnutls USE-flag unset?
from purple-facebook.
@gentoochainsaw I am still poking around as we speak. I don't have a time frame, especially if it is an issue upstream. For now it probably would not hurt to negate the USE flag.
from purple-facebook.
- 15 Jul 2015; Tony Vroon [email protected]
- purple-facebook-20150713.ebuild:
- Require GNUTLS to be disabled in Pidgin to work around a certificate issue,
- upstream issue report #13. As agreed with upstream developer.
from purple-facebook.
Alright, I found the issue: GTE_CyberTrust_Global_Root.pem
is missing. Pidgin is relying on the system's Baltimore_CyberTrust_Root.pem
, which should also be distributing GTE_CyberTrust_Global_Root.pem
. Had --with-system-ssl-certs
been negated, Pidgin would have installed Baltimore_CyberTrust_Root.pem
along with GTE_CyberTrust_Global_Root.pem
.
This looks like it might be a bug with ca-certificates. In any event, systems using GnuTLS, ca-certificates, and pidgin with --with-system-ssl-certs
will experience this issue. As a result, I am going to have automake drop GTE_CyberTrust_Global_Root.pem
inside the pidgin certificate directory with an autoconf flag.
from purple-facebook.
An option to enable the installation of the missing certificate has been added as of 24a7e63. This patch is included in the latest release (305f27dd23c0).
@gentoochainsaw You will need to add --with-ssl-certs
to the ebuild for this to install the missing CA.
from purple-facebook.
This is happening again, on Ubuntu 2015.04 with up-to-date purple-facebook
$ apt-cache policy purple-facebook
purple-facebook:
Installed: 20150915~4f84a8a~6a0a79182ebc~23
Candidate: 20150915~4f84a8a~6a0a79182ebc~23
Version table:
*** 20150915~4f84a8a~6a0a79182ebc~23 0
500 http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_15.04/ ./ Packages
100 /var/lib/dpkg/status
0.0.0-1+git20150810+1~vivid 0
500 http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu/ vivid/main amd64 Packages
$ apt-cache policy pidgin
pidgin:
Installed: 1:2.10.9-0ubuntu8
Candidate: 1:2.10.9-0ubuntu8
Version table:
*** 1:2.10.9-0ubuntu8 0
500 http://archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
100 /var/lib/dpkg/status
from purple-facebook.
Related Issues (20)
- Packages for newer distros
- "User must verify their account on www.facebook.com (405)" HOT 1
- Xorg crashes when messaging on Facebook HOT 1
- New parsing issue: unexpected identifier `taNewMessage` HOT 3
- b-api.facebook.com certificate prompts in Pidgin. HOT 5
- Did your Facebook account get locked due to Pidgin's third party's Messenger log in? HOT 8
- About 2 step varification code HOT 8
- Another taNewMessage parse error HOT 1
- JSON Data should be UTF-8 encoded
- jgeboski's repository is gone HOT 4
- ERROR_QUEUE_OVERFLOW on connection, on latest release (0.9.6)
- messenger images don't show in finch HOT 3
- Issue updating pidgin
- can no longer login, "invalid username or password" HOT 1
- Unknown error HOT 18
- "You're temporarily blocked" HOT 2
- Mit HOT 1
- Login Approvals HOT 2
- End-to-End Encryption and purple-facebook HOT 24
- can't send messages anymore HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from purple-facebook.