Invalid certificate about purple-facebook HOT 22 CLOSED

Try removing ~/.purple/certificates/x509/tls_peers/fbcdn-profile-a.akamaihd.net and see if that fixes it.

from purple-facebook.

@drJeckyll, has your computer got ca-certificates installed? Or whatever the equivalent package is.

from purple-facebook.

@jgeboski: I have no such file
ls -la ~/.purple/certificates/x509/tls_peers/fbcdn-*
ls: cannot access /root/.purple/certificates/x509/tls_peers/fbcdn-*: No such file or directory

@fangfufu: yes
[ebuild R ] app-misc/ca-certificates-20141019.3.19::gentoo USE="cacert" 0 KiB

from purple-facebook.

I was speaking out of my ass there. I think we're going to have to bundle the ca-certs for Facebook stuff, well at least for fbcdn-profile-a.akamaihd.net. The other ca-certs are likely already in pidgin.

A temporary solution: USE=-gnutls emerge -v1 pidgin. This will use OpenSSL instead of GnuTLS, which won't verify.

from purple-facebook.

OK - this works. Thanks

from purple-facebook.

Similar Problem here:

(20:24:24) jabber: Sending ([email protected]): <?xml version='1.0' ?>
(20:24:24) jabber: Sending ([email protected]): <stream:stream to='chat.facebook.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(20:24:24) jabber: Recv (389): <?xml version='1.0' ?><stream:stream from='chat.facebook.com' id='1' version='1.0' xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>X-FACEBOOK-PLATFORM</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>
(20:24:24) jabber: Sending ([email protected]): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(20:24:25) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(20:24:25) nss: Handshake failed  (-12173)
(20:24:25) connection: Connection error on 0x2295820 (reason: 5 description: SSL-Verhandlung gescheitert)
(20:24:25) account: Disconnecting account [email protected]/ (0xe07d40)

from purple-facebook.

...that's jabber. You're not using this plugin. Switch protocol in account settings from "Facebook (XMPP)" to just "Facebook" to use this plugin. Also change the username. Read the README

from purple-facebook.

@drJeckyll, what distro/OS are you running? I am on Debian Stretch, I am not experiencing the same issue. There is a ~/.purple/certificates/x509/tls_peers/fbcdn-profile-a.akamaihd.net on my machine.

from purple-facebook.

@fangfufu Gentoo

from purple-facebook.

@dequis thank you! i tried both plugins.
Recompiling from master solves the issues for me and facebook is working again! very happy

Ill go and build a AUR Package

from purple-facebook.

@fangfufu I believe that Pidgin uses its own set of root certificates. @jgeboski just told me that the site in question uses Baltimore CyberTrust Root, which is included.

I'd suggest looking at a debug log of the TLS session negotiation.

I also know that GnuTLS fails to validate certs generated by certain versions of OpenSSL. (As an example, search for issues with Weechat and OFTC.) It'd be interesting to see if this also happens with NSS. Compiling Pidgin with --enable-gnutls=no --enable-nss=yes with NSS and its headers installed should be all you need.

from purple-facebook.

You should be able to find Pidgin's root certificates in /usr/local/share/purple/ca-certs/ or /usr/share/purple/ca-certs/ depending on your platform and installation method.

from purple-facebook.

When --with-system-ssl-certs is used (Gentoo uses it), the Baltimore_CyberTrust_Root.pem CA is not installed to /usr/share/purple/ca-certs. Even with Baltimore_CyberTrust_Root.pem being manually installed, the warning still occurs. I can only assume there is some sort of priority ordering with the system SSL path being used before libpurple's.

$ sha1sum /etc/ssl/certs/Baltimore_CyberTrust_Root.pem share/ca-certs/Baltimore_CyberTrust_Root.pem 
af85a7fc0168709909e5d9cc2f60609c51c8fec7  /etc/ssl/certs/Baltimore_CyberTrust_Root.pem
c103790503bf8c2ff3f119adee027ebb429b9d21  share/ca-certs/Baltimore_CyberTrust_Root.pem

EDIT: The differing checksums are simply due to differing line endings.

from purple-facebook.

I can only assume there is some sort of priority ordering with the system SSL path being used before libpurple's.

You're right - looking at your debug log, it's using certs in /etc/ssl/certs before /usr/share/purple/ca-certs.

from purple-facebook.

I compiled Pidgin with GNUTLS disabled in Gentoo, and it worked.

from purple-facebook.

Yeah, I really have no idea why this is not working. It seems like it might be a pidgin bug.

from purple-facebook.

The "purple-facebook" package is now in Gentoo. No ~/.purple/certificates/x509/tls_peers/fbcdn-profile-a.akamaihd.net exists and the popup spam occurs. Is a fix pending or shall I temporarily depend on net-im/pidgin with the gnutls USE-flag unset?

from purple-facebook.

@gentoochainsaw I am still poking around as we speak. I don't have a time frame, especially if it is an issue upstream. For now it probably would not hurt to negate the USE flag.

from purple-facebook.

• 15 Jul 2015; Tony Vroon [email protected]
• purple-facebook-20150713.ebuild:
• Require GNUTLS to be disabled in Pidgin to work around a certificate issue,
• upstream issue report #13. As agreed with upstream developer.

from purple-facebook.

Alright, I found the issue: GTE_CyberTrust_Global_Root.pem is missing. Pidgin is relying on the system's Baltimore_CyberTrust_Root.pem, which should also be distributing GTE_CyberTrust_Global_Root.pem. Had --with-system-ssl-certs been negated, Pidgin would have installed Baltimore_CyberTrust_Root.pem along with GTE_CyberTrust_Global_Root.pem.

This looks like it might be a bug with ca-certificates. In any event, systems using GnuTLS, ca-certificates, and pidgin with --with-system-ssl-certs will experience this issue. As a result, I am going to have automake drop GTE_CyberTrust_Global_Root.pem inside the pidgin certificate directory with an autoconf flag.

from purple-facebook.

An option to enable the installation of the missing certificate has been added as of 24a7e63. This patch is included in the latest release (305f27dd23c0).

@gentoochainsaw You will need to add --with-ssl-certs to the ebuild for this to install the missing CA.

from purple-facebook.

This is happening again, on Ubuntu 2015.04 with up-to-date purple-facebook

$ apt-cache policy purple-facebook                                       
purple-facebook:
  Installed: 20150915~4f84a8a~6a0a79182ebc~23
  Candidate: 20150915~4f84a8a~6a0a79182ebc~23
  Version table:
 *** 20150915~4f84a8a~6a0a79182ebc~23 0
        500 http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_15.04/ ./ Packages
        100 /var/lib/dpkg/status
     0.0.0-1+git20150810+1~vivid 0
        500 http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu/ vivid/main amd64 Packages
$ apt-cache policy pidgin
pidgin:
  Installed: 1:2.10.9-0ubuntu8
  Candidate: 1:2.10.9-0ubuntu8
  Version table:
 *** 1:2.10.9-0ubuntu8 0
        500 http://archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
        100 /var/lib/dpkg/status

from purple-facebook.