Force Pidgin to acept an invalid certificate

I am getting the following error on Pidgin 2.10.10-3.fc20 (libpurple 2.10.10).

How can I force it to accept an invalid certificate?

(According to this bug report it should be capable).

enter image description here

Here's what I have done:

  • visited the domain on Firefox, and exported the certificate
  • imported the certificate on Pidgin tools->certificates
  • Imported the certificate on seahorse (gnome keyring GUI)

Solution 1:

As alternative you can download the ssl certificate by hand. Afterwards pidgin starts without problems. To download the certificate you can use openssl command line utility.

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER  

When the above command fails with "no peer certificate available" then maybe the server uses STARTTLS instead of SSL. In this case use the following command:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER -starttls xmpp

Now copy the part beginning with "----BEGIN CERTIFICATE----". If you print the content of the certificate file it looks like the following:

~/.purple/certificates/x509/tls_peers$ cat jabber.ulm.ccc.de 

-----BEGIN CERTIFICATE-----
MIIFXDCCA0QCCQCa5jxvwccm0DANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJE
RTEMMAoGA1UEBxMDVWxtMRUwEwYDVQQLEwxDQ0MgRXJmYSBVbG0xGjAYBgNVBAMT
EWphYmJlci51bG0uY2NjLmRlMSAwHgYJKoZIhvcNAQkBFhFqYWJiZXJAdWxtLmNj
...
3EIpMVk3V1djyj0FEuDaG/o+6BTLCiIMiIUFtbpVz8YZChHbv8ObMJ5JpUIkDfKZ
si1YZKpUYwpVXgTCUml67lArx/sq95OQsDSO3fR1Ch0=
-----END CERTIFICATE-----

Solution 2:

Turns out it there's a bug with certificates in Pidgin 2.10.10 (libpurple 2.10.10):

In version 2.10.10 it's no longer possible to connect to a XMPP server which uses a self signed SSL certificate. The error message is: The certificate for could not be validated. The certificate chain presented is invalid.

The connection is possible if the server certificate is already in the local cache (.purple\certificates\x509\tls_peers). If the certificate is not cached yet (e.g. after a fresh windows/pidgin installation) the connection fails.

Upgrading to 2.10.11 fixes the issue. If you're using an older Ubuntu version like me, you can use the PPA (12.04, 14.04 and 14.10)

Solution 3:

It seems to be important that the name you enter when importing the certificate via ToolsCertificates matches the connect server in the XMPP account configuration. This is the only way I was able to get it to work for the same error.

Connect server and certificate hostname should match