Force Pidgin to acept an invalid certificate

ssl certificates pidgin

I am getting the following error on Pidgin 2.10.10-3.fc20 (libpurple 2.10.10).

How can I force it to accept an invalid certificate?

(According to this bug report it should be capable).

enter image description here

Here's what I have done:

  • visited the domain on Firefox, and exported the certificate
  • imported the certificate on Pidgin tools->certificates
  • Imported the certificate on seahorse (gnome keyring GUI)

Solution 1:

As alternative you can download the ssl certificate by hand. Afterwards pidgin starts without problems. To download the certificate you can use openssl command line utility.

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER

When the above command fails with "no peer certificate available" then maybe the server uses STARTTLS instead of SSL. In this case use the following command:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER -starttls xmpp

Now copy the part beginning with "----BEGIN CERTIFICATE----". If you print the content of the certificate file it looks like the following:

~/.purple/certificates/x509/tls_peers$ cat jabber.ulm.ccc.de 

-----BEGIN CERTIFICATE-----
MIIFXDCCA0QCCQCa5jxvwccm0DANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJE
RTEMMAoGA1UEBxMDVWxtMRUwEwYDVQQLEwxDQ0MgRXJmYSBVbG0xGjAYBgNVBAMT
EWphYmJlci51bG0uY2NjLmRlMSAwHgYJKoZIhvcNAQkBFhFqYWJiZXJAdWxtLmNj
...
3EIpMVk3V1djyj0FEuDaG/o+6BTLCiIMiIUFtbpVz8YZChHbv8ObMJ5JpUIkDfKZ
si1YZKpUYwpVXgTCUml67lArx/sq95OQsDSO3fR1Ch0=
-----END CERTIFICATE-----

Solution 2:

Turns out it there's a bug with certificates in Pidgin 2.10.10 (libpurple 2.10.10):

In version 2.10.10 it's no longer possible to connect to a XMPP server which uses a self signed SSL certificate. The error message is: The certificate for could not be validated. The certificate chain presented is invalid.

The connection is possible if the server certificate is already in the local cache (.purple\certificates\x509\tls_peers). If the certificate is not cached yet (e.g. after a fresh windows/pidgin installation) the connection fails.

Upgrading to 2.10.11 fixes the issue. If you're using an older Ubuntu version like me, you can use the PPA (12.04, 14.04 and 14.10)

Solution 3:

It seems to be important that the name you enter when importing the certificate via ToolsCertificates matches the connect server in the XMPP account configuration. This is the only way I was able to get it to work for the same error.

Connect server and certificate hostname should match

Related

How can I safely shutdown/reboot/logout KDE from the command line?
Many screenshots within a limited time saved directly, without asking for a filename
Suspend and wake PC at certain time
How do you open a command line?
Can I convert a dmg file to iso in terminal?
View list of all available unique icons with their names and thumbnail
What is the difference between dependencies and pre-depends?
Update server php version to 5.4.10 via the command line
What does cd - (cd hyphen) do?
When I use ZSH, how do I set PATH in /etc/profile.d?
Where does chromedriver install to?
Why “which” returns none on some commands I can run? [duplicate]