Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#12906 closed defect (fixed)

Unable to validate certificate

Reported by: Anthara Owned by: QuLogic
Milestone: 2.7.7 Component: MSN
Version: 2.7.5 Keywords:
Cc: novasource, darkrain42, guru, janvlug

Description

This morning my Pidgin started to disconnect me from msn all the time giving me the message "unable to validate certificate. The certificate for omega.contacts.msn.com could not be validated. The certificate chain presented is invalid" after a few minutes it worked again but now it does not work at all anymore. i updated pidgin to the newest version and im not using any kind of plugins

Change History (128)

comment:1 Changed 6 years ago by bernmeister

I found that if I tried to reconnect, after about 20 attempts it finally connected. I don't know if I'll have to go through the same thing if I restart Pidgin...

Just keep persisting and you hopefully will connect.

Dunno if this is an actual issue which can be fixed in code.

comment:2 Changed 6 years ago by GingerDog

I'm seeing the same issue - Ubuntu maverick's stock version AND Pidgin 1:2.7.5-1ubuntu2+pidgin1.10.10 via the ppa...

I've tried deleting the cached certs using :

rm ~/.purple/certificates/x509/tls_peers/login.live.com rm ~/.purple/certificates/x509/tls_peers/*.passport.com rm ~/.purple/certificates/x509/tls_peers/*.msn.com

and restarting pidgin, but this made no difference.

comment:3 Changed 6 years ago by drunkenmonkey

Woke up this morning (about 30mins ago) and found I've got a similar problem. I had about 20 windows saying 'Unable to validate certificate' for omega.contacts.msn.com, closed them all and a couple more popped up over about 5-10mins. No more since. I can see my contacts and it seems to be working ok, my contacts are all offline atm so i haven't tried sending or receiving msgs, but one contact did log in quickly before. Pretty sure my contacts were showing up even when i was getting the error msg.

Tried doing a search for the problem, but couldn't find much.

Ps. I'm on lucid

comment:4 Changed 6 years ago by Dimmuxx

Ticket #12908 has been marked as a duplicate of this ticket.

comment:5 follow-up: Changed 6 years ago by Dimmuxx

  • Resolution set to worksforme
  • Status changed from new to closed

This will be fixed sooner or later, all servers just need to be updated.

comment:6 Changed 6 years ago by Dimmuxx

Ticket #12910 has been marked as a duplicate of this ticket.

comment:7 Changed 6 years ago by Dimmuxx

Ticket #12912 has been marked as a duplicate of this ticket.

comment:8 Changed 6 years ago by Dimmuxx

Ticket #12913 has been marked as a duplicate of this ticket.

comment:9 Changed 6 years ago by Dimmuxx

Ticket #12914 has been marked as a duplicate of this ticket.

comment:10 Changed 6 years ago by nitewynd

How can this be marked as closed. I don't see any resolution in the thread. The only thing I see it that "It will be fixed sooner or later". What kind of a response is that?

comment:11 Changed 6 years ago by togsniper

i agree with nitewynd, you should leave it open so that people stop creating new tickets and have somewhere to discuss possible resolutions to the problem

comment:12 follow-up: Changed 6 years ago by SamuelC

The problem isn't on Pidgin's end – it's a misconfiguration of the MSN servers. Therefore, the Pidgin development team can do nothing about it. However, “worksforme” is not at all an appropriate resolution – “wontfix” (if Trac has that resolution) would be more appropriate.

On that note, this does reveal a problem with Pidgin's error handling: I leave Pidgin running 24/7, and when I got to my desk this morning, I found maybe a dozen of these error windows. Not cool, Pidgin.

comment:13 Changed 6 years ago by nitewynd

I wonder if the notion that this is an MSN problem is actually incorrect. I can't function without a viable IM client so I decided to try DIGSBY. It seems to work perfectly with exactly the same IM accounts that I have with MSN and Yahoo. I would think that if this a M$ problem, the error would occur in other software. It doesn't, so I wonder what that means.

comment:14 Changed 6 years ago by SamuelC

I haven't tried another client myself, but I would guess that the reason other clients don't freak out so much is because they're not as bothered by broken SSL certificates, whereas Pidgin really wants everything SSL-related to be in good order (as it should!).

comment:15 Changed 6 years ago by SamuelC

<nosnilmot removed this comment because it is not a good solution to the problem>

comment:16 in reply to: ↑ 5 Changed 6 years ago by nosnilmot

  • Resolution worksforme deleted
  • Status changed from closed to new

Replying to Dimmuxx:

This will be fixed sooner or later, all servers just need to be updated.

It's more likely it will break for everyone sooner or later than it will magically fix itself.

The problem is the MSN servers do not return intermediate certificates in the SSL certificate chain, requiring us to bundle the intermediates with Pidgin. In this case it appears they have both renewed the certificate for omega.contacts.msn.com and also replaced or renewed the intermediate certificate that signed it ("Microsoft_Secure_Server_Authority").

What isn't clear to me is if we need to continue to include the older certificate with the same DN (which doesn't actually expire until 2011-02-19).

comment:17 Changed 6 years ago by okms

I can confirm SamuelC's findings/tempfix. Replaced certificate in '.purple\certificates\x509\tls_peers' and now login works fine.

comment:18 follow-ups: Changed 6 years ago by dclaarit

<nosnilmot removed this comment because it is not a good solution to the problem>

comment:19 Changed 6 years ago by untit1ed

I have the same problem on 2 different machines. As a temporary solution keep retrying and it will eventually connect properly.

comment:20 Changed 6 years ago by konijn

I can confirm dclaarit's solution, it works.

comment:21 follow-up: Changed 6 years ago by DougMelvin

If you find that this solution does not work for you (as it did fail for me) then you must update to the latest version.

I can tell you that this solution fails on 2.7.2. on Windows 7 Pro x64

Works a treat on 2.7.5

comment:22 in reply to: ↑ 18 Changed 6 years ago by jslopez

Replying to dclaarit: [...]

With your browser, go to https://omega.contracts.msn.com. It will give you "Directory Listing Denied"

[...]

Just a typo-correction, it is https://omega.contacts.msn.com.

comment:23 Changed 6 years ago by deryni

Ticket #12916 has been marked as a duplicate of this ticket.

comment:24 Changed 6 years ago by Dimmuxx

Ticket #12917 has been marked as a duplicate of this ticket.

comment:25 in reply to: ↑ 21 Changed 6 years ago by konijn

Replying to DougMelvin:

If you find that this solution does not work for you (as it did fail for me) then you must update to the latest version.

I can tell you that this solution fails on 2.7.2. on Windows 7 Pro x64

Works a treat on 2.7.5

Confirmed on 2.7.4 (Win7) to.

comment:26 Changed 6 years ago by nosnilmot@…

(In cd236baf6d00f3e1561a40974ce1828b793ea187):
Add new intermediate certificates that Microsoft have started using to sign the SSL cert for omega.contacts.msn.com, because their server admins are incompetent and are still supplying the old intermediates on the wire.

References #12906

comment:27 in reply to: ↑ 18 Changed 6 years ago by Daioh

Replying to dclaarit:

How to replace your certficate (the GUI method):

Doesn't work for me on Pidgin 2.7.5, Windows 7 64bit Saved the certificate, added the certificate, deleted the old one. Even restarted Pidgin... I keep getting 'The certificate chain presented is invalid.'

comment:28 in reply to: ↑ 18 ; follow-up: Changed 6 years ago by latinsud

Replying to dclaarit:

How to replace your certficate (the GUI method):

Doesn't work for me (Pidgin 2.7.3 Debian Squeeze).

Btw, the cert at https://omega.contacts.msn.com/ is issued for "*.contacts.msn.com". Don't know if that matters.

comment:29 Changed 6 years ago by boynas

Yes it matters. Make sure that when you add it you remove the '*' and replace it with 'omega'

comment:30 in reply to: ↑ 28 Changed 6 years ago by latinsud

Tried again and it worked! Tips:

The SHA1 of the correct certificate is AC:7E:E4:5F:97:B8:7E:F0:0B:AC:A6:51:9F:BA:51:F0:AD:73:17:8B. Reload/reboot/whatever until you get that one in firefox.

When importing to pidgin it is important that you set the correct name for it: omega.contacts.msn.com

comment:31 Changed 6 years ago by clmcavaney

Thanks for the SHA1 latinsud, I followed dclaarit's method, but there must be some caching going on out there.

All working with Pidgin 2.7.5 in Windows XP 32-bit.

comment:32 Changed 6 years ago by olden

FWIW, Konqueror also doesn't trust https://omega.contacts.msn.com/

Maybe MS balances load over a bunch of servers with now inconsistent certificates, and/or not all are "chained" properly.

Like others, I just let Pidgin reconnect until it was happy. One cert it liked was for *.contacts.msn.com, 22 Jun 2010 ~ 22 Jun 2011 and its SHA1 was C8:F3:B1:69:52:36:07:33:B5:02:1B:A2:B2:B4:CE:32:B9:68:37:36

comment:33 Changed 6 years ago by Dimmuxx

Ticket #12919 has been marked as a duplicate of this ticket.

comment:34 Changed 6 years ago by Kaurin

Guys, if these uploaded certificates won't work for you, I have made a blogpost that is outdate-proof.

Check it out

http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html

comment:35 Changed 6 years ago by Dr.DR4IG

I found a way to fix this for those with a HotMail? account.. I went to my hotmail account's page, Logged into the MSN messenger there, And the next time I started pidgin it logged in just fine for that account. Could be worth trying.

comment:36 Changed 6 years ago by rekkanoryo

Ticket #12920 has been marked as a duplicate of this ticket.

comment:37 Changed 6 years ago by darkarchon

I have the same issue. But I can't delete old certificate even so I disconnected, deleted account, etc. Why?

comment:38 Changed 6 years ago by dajomas

I can confirm that the solution as described by 'dclaarit' (with the addition that *.contacts.msn.com was replaced with omega.contacts.msn.com) works on version 2.7.1 running on Windows XP without having to stop or restart Pidgin.

comment:39 Changed 6 years ago by njw

A fix has been committed; see http://developer.pidgin.im/viewmtn/revision/info/cd236baf6d00f3e1561a40974ce1828b793ea187

Its way of doing it is rather nicer than downloading and saving the certificate using a browser. Instead, it saves the two CA certificates which aren't being sent as they should when requested. This makes the omega.contacts.msn.com certificate validate properly.

If you want to do this manually, download the two pem files from the commit, and copy them to the pidgin ca-cert directory. On Linux, this is usually at /usr/share/purple/ca-certs/

comment:40 in reply to: ↑ 18 Changed 6 years ago by Raging

<nosnilmot removed this comment because it is not a good solution to the problem>

comment:41 Changed 6 years ago by darkarchon

None of the informations above works. I use Vista x64. I've done a clean install too, doesn't help. I hate this penguin.

comment:42 Changed 6 years ago by Dimmuxx

Ticket #12922 has been marked as a duplicate of this ticket.

comment:43 Changed 6 years ago by Kaurin

Updated my guide with nosnilmot's solution

http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html

This is a permanent way of fixing your problem

comment:44 follow-up: Changed 6 years ago by GingerDog

above solution (downloading cert manually, and adding in via tools -> certificates etc) worked fine for me. Thanks (pidgin 2.7.5, Ubuntu Maverick)

comment:45 in reply to: ↑ 44 Changed 6 years ago by Kaurin

Replying to GingerDog:

above solution (downloading cert manually, and adding in via tools -> certificates etc) worked fine for me. Thanks (pidgin 2.7.5, Ubuntu Maverick)

That is only a temporary solution. My blog post included one such solution but the error will reoccur as soon as Microsoft starts fiddling around with the certificates again. Use this if you want a permanent and safer solution

http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html

comment:46 Changed 6 years ago by DugieHowsa

Could this behavior have something to do with HOTMAIL's latest change to enable SSL site wide?

http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx

comment:47 in reply to: ↑ 18 ; follow-up: Changed 6 years ago by ouoertheo

<nosnilmot removed this comment because it is not a good solution to the problem>

comment:48 Changed 6 years ago by Dimmuxx

Ticket #12925 has been marked as a duplicate of this ticket.

comment:49 in reply to: ↑ 47 ; follow-up: Changed 6 years ago by Kaurin

Replying to ouoertheo:

Replying to dclaarit:

How to replace your certficate (the GUI method):

Go to pidgin's Tools->Certificates to remove the old certificate. Don't close this window yet. (You can, but it is easier to not)

With your browser, go to https://omega.contracts.msn.com. It will give you "Directory Listing Denied"

With Firefox, if you click on the lock in the lower right corner, you get a dialog box, where you can click on View Certificate. On its Details tab, you can export the certificate to a file.

Now, back on the pidgin Tools->Certificates dialog, you can add this certificate, and all is well.

When I click on the lock in the address bar in IE, I can see the certificate, but it won't let me export it, so I can't help you there.

I can confirm this fix worked for Pidgin 2.7.5 on Windows 7 Enterprise 32 bit. Thanks!

That is only a temporary solution. My blog post included one such solution but the error will reoccur as soon as Microsoft starts fiddling around with the certificates again. Use this if you want a permanent and safer solution

http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html

comment:50 in reply to: ↑ 49 Changed 6 years ago by ouoertheo

Replying to Kaurin:

Replying to ouoertheo:

Replying to dclaarit:

How to replace your certficate (the GUI method):

Go to pidgin's Tools->Certificates to remove the old certificate. Don't close this window yet. (You can, but it is easier to not)

With your browser, go to https://omega.contracts.msn.com. It will give you "Directory Listing Denied"

With Firefox, if you click on the lock in the lower right corner, you get a dialog box, where you can click on View Certificate. On its Details tab, you can export the certificate to a file.

Now, back on the pidgin Tools->Certificates dialog, you can add this certificate, and all is well.

When I click on the lock in the address bar in IE, I can see the certificate, but it won't let me export it, so I can't help you there.

I can confirm this fix worked for Pidgin 2.7.5 on Windows 7 Enterprise 32 bit. Thanks!

That is only a temporary solution. My blog post included one such solution but the error will reoccur as soon as Microsoft starts fiddling around with the certificates again. Use this if you want a permanent and safer solution

http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html

Ok, the correct fix has been applied, thanks for the heads up.

comment:51 in reply to: ↑ 18 Changed 6 years ago by DL573

Replying to dclaarit:

How to replace your certficate (the GUI method):

Go to pidgin's Tools->Certificates to remove the old certificate. Don't close this window yet. (You can, but it is easier to not)

With your browser, go to https://omega.contracts.msn.com. It will give you "Directory Listing Denied"

With Firefox, if you click on the lock in the lower right corner, you get a dialog box, where you can click on View Certificate. On its Details tab, you can export the certificate to a file.

Now, back on the pidgin Tools->Certificates dialog, you can add this certificate, and all is well.

When I click on the lock in the address bar in IE, I can see the certificate, but it won't let me export it, so I can't help you there.

This fix worked perfectly with Pidgin 2.5.5, Windows Vista 64 Ultimate.

I also tried another fix first, replacing the standard MSN plugin with MSN Pecan (http://code.google.com/p/msn-pecan/), however, this by itself was ineffective on my system. So, either this and the dclaarit fix worked, or the dclaarit fix alone was sufficient, I suspect the latter.

Thanks dclaarit

comment:52 follow-up: Changed 6 years ago by latinsud

  • dclaarit's solution worked at first but eventually broke.
  • Kaurin's solution is working by now.

comment:53 Changed 6 years ago by mama21mama

<edited by nosnilmot: script deleted because using a script to bindly & automatically trust an SSL certificate is not the right solution>

comment:54 Changed 6 years ago by deryni

Ticket #12928 has been marked as a duplicate of this ticket.

comment:55 follow-up: Changed 6 years ago by mama21mama

confiar en pidgin es la solución?.

comment:56 in reply to: ↑ 55 Changed 6 years ago by nosnilmot

Replying to mama21mama:

confiar en pidgin es la solución?.

The recommended solution is described in comment:39

comment:57 Changed 6 years ago by mama21mama

no se debería tocar le sistema de archivo nunca a no ser que sea necesario. esa solución es solo para acceso de root y no usuarios comunes sin privilegios.

comment:58 Changed 6 years ago by internet100

this only happens to old accounts. I have 5 accounts in pidgin using the msn protocol. The first account was created in 1999, not connected in any way, always the same error certificate failure, the second account is 2004, gives the same error. I have three more new accounts, created in 2009, which did not give any problem.

I tried to create new accounts on MSN, and connects perfectly

Last week a friend using the official msn client had similar problems, forcing him to perform update to the latest version of msn.

weird ...!

comment:59 Changed 6 years ago by mama21mama

sigo teniendo el mismo problema haciendo lo que dice en comment:39.

voy a meterles los certificados que usa windows live messenger a ver que pasa.

http://ubuntuforums.org/showthread.php?t=1625416

comment:60 in reply to: ↑ 52 Changed 6 years ago by Kaurin

Replying to latinsud:

  • dclaarit's solution worked at first but eventually broke.
  • Kaurin's solution is working by now.

This is actually nosnilmot's solution, i just blogged it.

comment:61 Changed 6 years ago by deryni

Ticket #12930 has been marked as a duplicate of this ticket.

comment:62 Changed 6 years ago by QuLogic

Ticket #12931 has been marked as a duplicate of this ticket.

comment:63 Changed 6 years ago by WonderGamer

Replying to konijn :

attachment -.contacts.msn.com added

New certificate to import into Pidgin, delete old first.

konijn's attachement did the trick for me. Thanks!

comment:64 Changed 6 years ago by QuLogic

Please use the instructions in comment 39 until the next release. I have deleted the attachments because you shouldn't use them.

Also, please do everyone CC'd on this ticket a favour and don't post any more "me too" comments.

comment:65 Changed 6 years ago by rekkanoryo

Ticket #12934 has been marked as a duplicate of this ticket.

comment:66 in reply to: ↑ 12 Changed 6 years ago by cowboy42

Replying to SamuelC: This is not an MSN problem. I can log into MSN through Windows Live Messenger, but not with Pidgin. The problem MUST be with Pidgin, and not MSN.

comment:67 Changed 6 years ago by deryni

The problem is with MSN. The official client simply already has the certificates that pidgin is missing because Microsoft had already pushed them out in the normal Windows certificate store.

comment:68 Changed 6 years ago by QuLogic

Ticket #12938 has been marked as a duplicate of this ticket.

comment:69 Changed 6 years ago by WonderGamer

Xfire is able to connect to MSN just fine & the messenger hasn't had an update since July, so I think it's more of an issue with the way Pidgin is handling the certificates. The fix that njw posted did seem to fix the issue though; I haven't had an issue with it since.

http://developer.pidgin.im/ticket/12906#comment:39

comment:70 Changed 6 years ago by deryni

Any client that isn't using a recent version of the protocol is likely fine as is any client that doesn't bother validating certificate chains. I have no idea which of those is true for xfire (or if xfire is simply using the Windows certificate store and is then in the same position as the official WLM client) but nothing pidgin is doing here is wrong.

comment:71 Changed 6 years ago by cowboy42

Then why when I do every fix recommended I still get the error? Windows Live works fine, but not Pidgin!?

comment:72 Changed 6 years ago by deryni

Presumably because you have done the fix incorrectly or you have only followed the fix now that the linux path for the cert in the squidrants blog is incorrect. The correct path is the one in comment 39. Feel free to join the #pidgin irc channel or devel@… xmpp muc room if you want more interactive help because the fix does work.

comment:73 Changed 6 years ago by cowboy42

That is the fix I used.

comment:74 follow-up: Changed 6 years ago by deryni

The fix in the blog post is correct. The path for linux is apparently only sometimes correct. We aren't sure why it doesn't work for some people yet, we are trying to track it down.

The path in comment 39 is correct and does work, for everyone. So if you put the _2010.pem files there and restarted pidgin it will work.

comment:75 Changed 6 years ago by mama21mama

This comment was deleted because it recommended an unsafe version of the working safer version of the solution.

comment:76 in reply to: ↑ 74 Changed 6 years ago by cowboy42

stop.
Replying to deryni: Is it not working because I don't run Linux?

comment:77 Changed 6 years ago by cowboy42

It will work for short periods of time. Then it stops working, and I get multiple error boxes.

comment:78 Changed 6 years ago by Selimeck

I tried this solution but it was not working.

I just tried with proxy.contacts.msn.com and omega.contacts.msn.com and now it works. proxy and omega have the same IP but names differs if it's reverse DNS or not. my MSN account is an old one (1990's).

now it works.

comment:79 Changed 6 years ago by deryni

If you are grabbing and importing the omega certificate specifically then it will appear to work for a while and will break again when you hit a server with a different certificate. That is one of the various reasons that that is not the correct solution. The correct solution involves downloading the correct intermediate certificates and placing them where pidgin can find them so that the certificates that the omega servers provide can be correctly validated. That solution works on both Windows and Linux when done correctly.

As I said before, if you want actual interactive help with getting the correct solution to work then you should join the #pidgin irc channel on freenode or the devel@conference.pidgin.im muc room.

comment:80 Changed 6 years ago by Kaurin

Fixed the linux ca-certs path. Thank you for noticing guys. http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html

comment:81 Changed 6 years ago by sabret00the

If a patch has been committed, why isn't there a release?

comment:82 Changed 6 years ago by Dimmuxx

Ticket #12940 has been marked as a duplicate of this ticket.

comment:83 Changed 6 years ago by rekkanoryo

We are already in the release process. Be patient. A project as large as Pidgin can't release on the drop of a hat.

comment:84 Changed 6 years ago by njw

Just a note to let everyone know that the newly released version of pidgin, 2.7.6, includes the fix, so this bug can probably be closed. Thanks pidgin team.

comment:85 Changed 6 years ago by Dimmuxx

Ticket #12943 has been marked as a duplicate of this ticket.

comment:86 Changed 6 years ago by waschk

I can still reproduce this in pidgin 2.7.6.

comment:87 Changed 6 years ago by Robby

Ticket #12944 has been marked as a duplicate of this ticket.

comment:88 Changed 6 years ago by heckur

Confirming that bug hasn't been fixed on 2.7.6. I was able to login with no problem but after a few minutes got the same certificate problem :s

comment:89 Changed 6 years ago by QuLogic

  • Cc darkrain42 added; togsniper Selimeck njw removed

For those of you still experiencing this bug, if you are comfortable with a little experimenting, please try to speak with darkrain/darkrain42 on the Pidgin IRC channel.

comment:90 Changed 6 years ago by johnroberts

Confirming this as an issue, persisting the solution described in http://developer.pidgin.im/wiki/MSNCertIssue with the intermediate certificates provided. Did try also the certificates included in the Windows installer, w/o success. Installations are Linux 2.6.x (2.6.2 & 2.6.6) where upgrade to the 2.7.x trunk is not available. Handshake with MSN servers is still erratic

  • as before. Sometimes it is possible to log in, sometimes not. Extremely irritating :s

In all installations, location of certificates is the default one, at /usr/share/purple/ca-certs.

Here is the error info from the debug window:

(don't know if first error is relevant or not..)

(13:32:07) gnutls: Attempting to load X.509 certificate from /home/username/.purple/certificates/x509/tls_peers/login.live.com
(13:32:07) certificate/x509/tls_cached: Peer cert matched cached
(13:32:07) util: Writing file /home/username/.purple/certificates/x509/tls_peers/login.live.com
(13:32:07) certificate: Successfully verified certificate for login.live.com
(13:32:07) soap: Sending secure request.
(13:32:08) soap: read 351 bytes
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: Received secure request.
(13:32:08) soap: read 14624 bytes
'''(13:32:08) gnutls: receive failed: A TLS packet with unexpected length was received.
(13:32:08) soap: read: Input/output error'''
(13:32:08) soap: Received secure request.
(13:32:08) msn: Updated ticket for domain 'messengerclear.live.com', expires at 1290540733.
(13:32:08) msn: Updated ticket for domain 'messenger.msn.com', expires at 1290512433.
(13:32:08) msn: Updated ticket for domain 'contacts.msn.com', expires at 1290540733.
(13:32:08) msn: Updated ticket for domain 'messengersecure.live.com', expires at 1290598333.
(13:32:08) msn: Updated ticket for domain 'spaces.live.com', expires at 1290540733.
(13:32:08) msn: Updated ticket for domain 'livecontacts.live.com', expires at 1290540733.
(13:32:08) msn: Updated ticket for domain 'storage.live.com', expires at 1290540733.
(13:32:10) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com
(13:32:10) certificate/x509/tls_cached: Checking for cached cert...
(13:32:10) certificate/x509/tls_cached: ...Found cached cert
(13:32:10) gnutls: Attempting to load X.509 certificate from /home/username/.purple/certificates/x509/tls_peers/omega.contacts.msn.com
(13:32:10) certificate/x509/tls_cached: Peer cert did NOT match cached
(13:32:10) gnutls/x509: Certificate C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com is issued by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, which does not match C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com.
(13:32:10) certificate: Checking signature chain for uid=C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
(13:32:10) gnutls/x509: Bad signature from DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
(13:32:10) certificate: ...Bad or missing signature by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
Chain is INVALID
(13:32:10) certificate: Failed to verify certificate for omega.contacts.msn.com
(13:32:10) msn: Operation {} failed. No response received from server.
(13:32:10) msn: C: NS 000: OUT
(13:32:10) connection: Connection error on ... (reason: 0 description: Your MSN buddy list is temporarily unavailable. Please wait and try again.)

comment:91 in reply to: ↑ description Changed 6 years ago by n4d4br0v1tchk4

This comment was deleted because it recommended an unsafe version of the working safer version of the solution.

comment:92 Changed 6 years ago by johnroberts

In case my first post was not clear enough (I thought that I made perfectly clear that I did try all the certificates),

I repeat to clear any ambiguity: Downloading the intermediate certificates either through Squid's blog, or from the official blog or even directly extracted from the 2.7.6 Windows installer does not seem to offer a permanent solution for the 2.6.x trunk. I may get a 100% successful login for a while and then again 100% failure, depending obviously on the server side. The local path for the intermediate certificates is indeed /usr/share/purple/ca-certs/

comment:93 Changed 6 years ago by johnroberts

Here are the contents of /usr/share/purple/ca-certs:

username@linux-3c3x:/usr/share/purple/ca-certs> ls -la
total 40
drwxr-xr-x 2 root root 4096 2010-11-23 13:09 .
drwxr-xr-x 3 root root 4096 2010-02-19 20:32 ..
-rw-r--r-- 1 root root 1505 2010-02-19 20:32 AOL_Member_CA.pem
-rw------- 1 root root   80 2010-11-23 13:09 .directory
-rw-r--r-- 1 root root 1818 2010-11-23 12:33 Microsoft_Internet_Authority_2010.pem
-rw-r--r-- 1 root root 1809 2010-02-19 20:32 Microsoft_Internet_Authority.pem
-rw-r--r-- 1 root root 2167 2010-11-23 12:33 Microsoft_Secure_Server_Authority_2010.pem
-rw-r--r-- 1 root root 2202 2010-02-19 20:32 Microsoft_Secure_Server_Authority.pem
-rw-r--r-- 1 root root 2136 2010-02-19 20:32 VeriSign_Class3_Extended_Validation_CA.pem
-rw-r--r-- 1 root root 1277 2010-02-19 20:32 VeriSign_International_Server_Class_3_CA.pem
username@linux-3c3x:/usr/share/purple/ca-certs>

comment:94 follow-up: Changed 6 years ago by deryni

There appear to still be issues with the certificates for people using GnuTLS. People using Mozilla NSS also run into occasional issues but mostly work. Fixes for both of those things have been committed to monotone.

comment:95 Changed 6 years ago by schmatzler

I still had problems with Pidgin 2.7.6 - copied the 2 certificates to usr/share/purple/ca-certs, but it didn't work. So I deleted them and restarted Pidgin.

Looks like the "Microsoft Secure Server Authority" certificate will be automatically downloaded and set as "login.live.com" in Pidgin - but the "Microsoft Internet Authority" certificate will not be set automatically.

Here is my fix: This comment was deleted because it recommended an unsafe version of the working safer version of the solution.

comment:96 in reply to: ↑ 94 ; follow-up: Changed 6 years ago by johnroberts

Replying to deryni:

There appear to still be issues with the certificates for people using GnuTLS. People using Mozilla NSS also run into occasional issues but mostly work. Fixes for both of those things have been committed to monotone.

It still eludes me, if besides the MSN certificate AFU/mess/havoc we are also having a glitch on the software side (on GnuTLS?) on how certificates are being handled... I am dully worried about the older 2.6.x trunk on Linux that cannot be updated due to various reasons... :s

ATM, what I am seeing is a couple of error messages on the primary attempts, but after - say 4'-5', pidgin connects by itself w/o any further user intervention. I am parsing the log file now to see what is going on.

comment:97 Changed 6 years ago by deryni

Ticket #12965 has been marked as a duplicate of this ticket.

comment:98 in reply to: ↑ 96 ; follow-up: Changed 6 years ago by nosnilmot

Replying to johnroberts:

Replying to deryni:

There appear to still be issues with the certificates for people using GnuTLS. People using Mozilla NSS also run into occasional issues but mostly work. Fixes for both of those things have been committed to monotone.

It still eludes me, if besides the MSN certificate AFU/mess/havoc we are also having a glitch on the software side (on GnuTLS?) on how certificates are being handled...

GnuTLS handles the invalid certificate chain presented by the MSN server differently from NSS. I had failed to properly test this when I originally identified the workaround of including additional intermediate certificates.

I am dully worried about the older 2.6.x trunk on Linux that cannot be updated due to various reasons... :s

There is no "2.6.x trunk", but the fixes for these issues shouldn't be hard to backport to 2.6.x if you wish. The fixes to accommodate GnuTLS are in 0be86888d82fc0d9bd61c1426b73e52196b35817 and other optimizations to make NSS work more reliably are in 44e2c86fa3250a09c12de48785f224c5244d4819.

ATM, what I am seeing is a couple of error messages on the primary attempts, but after - say 4'-5', pidgin connects by itself w/o any further user intervention. I am parsing the log file now to see what is going on.

Some servers are presenting a valid certificate chain and some are not - that is why it does not fail 100% of the time (and if they were all correctly configured we would have needed zero changes in Pidgin).

comment:99 in reply to: ↑ 98 Changed 6 years ago by johnroberts

Backporting is possible as long as there are the necessary tools to do it. The issues I'm seeing are on custom Linux installs on netbooks where gcc is unavailable ( :( ouch!...). Recompilation is out of the question, ATM. If push comes to shove, I may try to cross-compile, but this is far from trivial for me.

I agree 100% that we wouldn't have this mess if the server side was properly configured. MS managed to "shine" again... :s

comment:100 Changed 6 years ago by johnroberts

I checked the log file and it seems the server providing this chain validates Ok

(18:01:52) gnutls: Starting handshake with omega.contacts.msn.com
(18:01:53) gnutls: Handshake complete
(18:01:53) gnutls/x509: Key print: c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36
(18:01:53) gnutls/x509: Key print: 3a:dd:0e:7e:a2:b2:84:ff:45:9e:13:73:65:b4:82:d1:88:df:bf:8a
(18:01:53) gnutls/x509: Key print: e5:95:8d:48:fe:10:d7:34:03:11:e8:c0:3b:b2:29:40:da:ba:2d:a3
(18:01:53) gnutls: Peer provided 3 certs
(18:01:53) gnutls: Lvl 0 SHA1 fingerprint: c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36
(18:01:53) gnutls: Serial: 17:a3:8a:27:00:08:00:01:96:b1
(18:01:53) gnutls: Cert DN: C=US,L=Redmond,O=Microsoft,OU=MSN Contact Services,CN=*.contacts.msn.com,EMAIL=cdpops@microsoft.com
(18:01:53) gnutls: Cert Issuer DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(18:01:53) gnutls: Lvl 1 SHA1 fingerprint: 3a:dd:0e:7e:a2:b2:84:ff:45:9e:13:73:65:b4:82:d1:88:df:bf:8a
(18:01:53) gnutls: Serial: 61:03:33:36:00:05:00:00:00:30
(18:01:53) gnutls: Cert DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(18:01:53) gnutls: Cert Issuer DN: CN=Microsoft Internet Authority
(18:01:53) gnutls: Lvl 2 SHA1 fingerprint: e5:95:8d:48:fe:10:d7:34:03:11:e8:c0:3b:b2:29:40:da:ba:2d:a3
(18:01:53) gnutls: Serial: 07:27:62:02
(18:01:53) gnutls: Cert DN: CN=Microsoft Internet Authority
(18:01:53) gnutls: Cert Issuer DN: C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root
(18:01:53) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com
(18:01:53) certificate/x509/tls_cached: Checking for cached cert...
(18:01:53) certificate/x509/tls_cached: ...Found cached cert
(18:01:53) gnutls: Attempting to load X.509 certificate from /home/user/.purple/certificates/x509/tls_peers/omega.contacts.msn.com
(18:01:53) certificate/x509/tls_cached: Peer cert matched cached
(18:01:53) certificate: Successfully verified certificate for omega.contacts.msn.com

while this chain always fails

(17:54:59) gnutls: Starting handshake with omega.contacts.msn.com
(17:55:01) gnutls: Handshake complete
(17:55:01) gnutls/x509: Key print: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b
(17:55:01) gnutls/x509: Key print: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05
(17:55:01) gnutls/x509: Key print: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25
(17:55:01) gnutls: Peer provided 3 certs
(17:55:01) gnutls: Lvl 0 SHA1 fingerprint: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b
(17:55:01) gnutls: Serial: 7d:da:e0:49:00:08:00:01:c8:b9
(17:55:01) gnutls: Cert DN: C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
(17:55:01) gnutls: Cert Issuer DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(17:55:01) gnutls: Lvl 1 SHA1 fingerprint: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05
(17:55:01) gnutls: Serial: 61:16:6d:2f:00:04:00:00:00:20
(17:55:01) gnutls: Cert DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(17:55:01) gnutls: Cert Issuer DN: CN=Microsoft Internet Authority
(17:55:01) gnutls: Lvl 2 SHA1 fingerprint: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25
(17:55:01) gnutls: Serial: 07:27:16:75
(17:55:01) gnutls: Cert DN: CN=Microsoft Internet Authority
(17:55:01) gnutls: Cert Issuer DN: C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root
(17:55:01) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com
(17:55:01) certificate/x509/tls_cached: Checking for cached cert...
(17:55:01) certificate/x509/tls_cached: ...Found cached cert
(17:55:01) gnutls: Attempting to load X.509 certificate from /home/user/.purple/certificates/x509/tls_peers/omega.contacts.msn.com
(17:55:01) certificate/x509/tls_cached: Peer cert did NOT match cached
(17:55:01) gnutls/x509: Certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com claims to be issued by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, but the certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com does not match.
(17:55:01) certificate: Checking signature chain for uid=C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
(17:55:01) gnutls/x509: Bad signature from DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
(17:55:01) certificate: ...Bad or missing signature by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
Chain is INVALID
(17:55:01) certificate: Failed to verify certificate for omega.contacts.msn.com

comment:101 Changed 6 years ago by mama21mama

This comment was deleted because it recommended an unsafe version of the working safer version of the solution.

comment:102 Changed 6 years ago by Robby

Ticket #12967 has been marked as a duplicate of this ticket.

comment:103 Changed 6 years ago by johnroberts

If we name (above) servers, server "good" and server "bad", it seems that manually placing the omega.contacts.msn.com certificate from the "bad" server on the cache (/home/user/.purple/certificates/x509/tls_peers/...)

  • temporarily at least - solves the problem as GnuTLS validates it

even if the certificate chain is malformed. But this is only a stop-gap because if on another login attempt Pigdin tries to connect to the "good" server, I suppose that the omega.contacts.msn.com from this server will replace the previous one, so GnuTLS will fail on the next attempt to the "bad" server...

Both certificates can be obtained (with plenty of patience though...) through Firefox trying to connect to https://omega.contacts.msn.com

The certificate of the "good" server has this SHA1 fingerprint: c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36

and the "bad" server this fingerprint: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b

comment:104 Changed 6 years ago by QuLogic

Please stop suggesting to download certs randomly from websites. The full fix will be in 2.7.7.

comment:105 Changed 6 years ago by rekkanoryo

  • Milestone set to 2.7.7
  • Resolution set to fixed
  • Status changed from new to closed

I have released version 2.7.7, which includes all necessary fixes for this problem. Upgrade.

If you have followed the wrong directions and replaced the certificate for omega.contacts.msn.com, the safest course of action is to delete that certificate, then upgrade.

comment:106 Changed 6 years ago by QuLogic

Ticket #12974 has been marked as a duplicate of this ticket.

comment:107 follow-up: Changed 6 years ago by guru

The problem still exists in 2.7.7, here is a debug log (the cached certificate in /home/guru/.purple/certificates/x509/tls_peers/omega.contacts.msn.com was downloaded yesterday after deleting all files in /home/guru/.purple/certificates/x509/tls_peers/):

 (08:50:40) dns: Got response for 'omega.contacts.msn.com'
 (08:50:40) dnsquery: IP resolved for omega.contacts.msn.com
 (08:50:40) proxy: Attempting connection to 207.46.113.78
 (08:50:40) proxy: Connecting to omega.contacts.msn.com:443 with no proxy
 (08:50:40) proxy: Connection in progress
 (08:50:40) proxy: Connecting to omega.contacts.msn.com:443.
 (08:50:40) proxy: Connected to omega.contacts.msn.com:443.
 (08:50:40) gnutls: Starting handshake with omega.contacts.msn.com
 (08:50:41) util: Writing file blist.xml to directory /home/guru/.purple
 (08:50:41) util: Writing file /home/guru/.purple/blist.xml
 (08:50:41) gnutls: Handshake complete
 (08:50:41) gnutls/x509: Key print: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b
 (08:50:41) gnutls/x509: Key print: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05
 (08:50:41) gnutls/x509: Key print: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25
 (08:50:41) gnutls: Peer provided 3 certs
 (08:50:41) gnutls: Lvl 0 SHA1 fingerprint: ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b
 (08:50:41) gnutls: Serial: 7d:da:e0:49:00:08:00:01:c8:b9
 (08:50:41) gnutls: Cert DN: C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
 (08:50:41) gnutls: Cert Issuer DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
 (08:50:41) gnutls: Lvl 1 SHA1 fingerprint: 7e:8a:c2:9c:5a:32:8c:c2:71:a2:d9:4f:75:70:f7:a9:1b:f6:94:05
 (08:50:41) gnutls: Serial: 61:16:6d:2f:00:04:00:00:00:20
 (08:50:41) gnutls: Cert DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
 (08:50:41) gnutls: Cert Issuer DN: CN=Microsoft Internet Authority
 (08:50:41) gnutls: Lvl 2 SHA1 fingerprint: 3d:29:1d:b8:ee:22:be:e1:33:70:06:f2:ef:c6:f9:db:dd:03:bb:25
 (08:50:41) gnutls: Serial: 07:27:16:75
 (08:50:41) gnutls: Cert DN: CN=Microsoft Internet Authority
 (08:50:41) gnutls: Cert Issuer DN: C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root
 (08:50:41) certificate/x509/tls_cached: Starting verify for omega.contacts.msn.com
 (08:50:41) certificate/x509/tls_cached: Checking for cached cert...
 (08:50:41) certificate/x509/tls_cached: ...Found cached cert
 (08:50:41) gnutls: Attempting to load X.509 certificate from /home/guru/.purple/certificates/x509/tls_peers/omega.contacts.msn.com
 (08:50:41) certificate/x509/tls_cached: Peer cert did NOT match cached
 (08:50:41) gnutls/x509: Certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com claims to be issued by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, but the certificate for C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com does not match.
 (08:50:41) certificate: Checking signature chain for uid=C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
 (08:50:41) gnutls/x509: Bad signature for DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=US,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
 (08:50:41) certificate: ...Bad or missing signature by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
 Chain is INVALID

I would like to re-open this ticket (but can't)

Matthias

comment:108 in reply to: ↑ 107 ; follow-up: Changed 6 years ago by nosnilmot

Replying to guru:

The problem still exists in 2.7.7

Please see my follow up to your email on the support mailing list about this : http://pidgin.im/pipermail/support/2010-November/009045.html

comment:109 Changed 6 years ago by rekkanoryo

Ticket #12992 has been marked as a duplicate of this ticket.

comment:110 Changed 6 years ago by matteosistisette

It is NOT fixed.

I have installed pidgin 2.7.7 (had to compile from source, as a precompiled package for 2.7.7 is not available yet), and the certificate error still pops up all the time. Nothing changed.

So please: 1 - reopen this ticket 2 - remove the note on the home page that claims that "Pidgin 2.7.7 completely fixes the MSN certificate issue".

The false claim that 2.7.7 will fix the issue is particularly harmful, as it makes people like me waste a lot of time. I downloaded the source code and went through tha painful process of launching the config script again and again to find out ONE AT A TIME all the packages I had to manually install. And all that just to find out that the issue is still there?????????? That sucks.

There's really no need to make people believe version 2.7.7 fixes an issue if it doesn't. That's stupid.

comment:111 follow-up: Changed 6 years ago by Robby

Stop being a dick.

It is obvious the changes made have fixed this for most people. What needs to be figured out, is why it doesn't work for you. But unfortunately, you're not being very constructive about it.

Note I'm not part of the Pidgin team.

comment:112 Changed 6 years ago by sabret00the

I'm using 2.7.7 and my issue was fixed. It asked me to download the certificate and thus I've not had a problem since. I'm using Windows 7 x86.

comment:113 Changed 6 years ago by guru

In my system there was an old version of libpurple; after removing this an re-compiling pidgin all was fine;

Matthias

comment:114 follow-up: Changed 6 years ago by matteosistisette

@Robby: i'm as constructive as I can, by telling what I know (that the fix didn't work for me, so the issue is not "completely" fixed) and by suggesting to remove an incorrect claim from the home page. At least I didn't insult anybody (well i said "it sucks" and "that's stupid" but both refer to a thing/situation, not a person). If there's more information that I can provide, such as logs or whatever I will be glad to do it, but I don't know what to look for. I did forget to mention I am using Ubuntu however.

@guru: thanks, _that_ is being constructive. I guess it is probably my issue too; anyway I reverted to the prepackaged 2.7.5 version and fixed the certificate with the manual workaround of exporting it from firefox.

comment:115 in reply to: ↑ 114 ; follow-up: Changed 6 years ago by koyote

Guys,

in my computer had a old libppurple and was NOT WORKING:

# pidgin --version Pudgin version Pidgin 2.7.7 (libpurple 2.7.5)

After removing all libpurple references at Synaptic,recompile and running again: Pidgin 2.7.7 (libpurple 2.7.7)

WORKED!

It has already been discused in the comments, but too exaust to read it all. Maybe should help if the bug had a SOLUTION field on the top of this page, something like:

SOLUTION: Removing all pidgin and libpurple packages, and checking if is running the current version: Pidgin 2.7.7 (libpurple 2.7.7)

Ahhh, and for linux users experience is hard to download source, compile and making. For me is very easy that im a developer, but for my family is not like this =)

I understand the Ubuntu or any OS that not update other softwares on the fly during a stable release.

To help not experienced linux users at least provide a source link to use at APT (apt-get, synaptic..), or the new version already to install.

Anyway, pidgin is a great tool.. good job guys!

comment:116 in reply to: ↑ 115 Changed 6 years ago by koyote

PS: Changing a message used in the log for different releases, wow... thats a great ideia.

The string "Bad signature for" has been changed to "Bad signature from"

going to use it at my work ahahahahha

source: http://pidgin.im/pipermail/support/2010-November/009045.html

comment:117 in reply to: ↑ 111 Changed 6 years ago by johnroberts

Replying to Robby:

... Note I'm not part of the Pidgin team.

Dear Robby if you carefully read the comments on this ticket, you may realize that people posting here are trying to contribute constructively. ====================================================================

This still is an issue for older versions of Pidgin and users that for any reason (e.g. absence of compilation tools) cannot recompile Pidgin locally.

FYI a co-worker that is a MS client has sent a formal e-mail last Thursday detailing the certificate issue. According to the Microsoft support system a service engineer should have replied in 24hrs. He has yet to receive any reply or acknowledgment.

comment:118 Changed 6 years ago by deryni

Robby's comment was specifically in reply to the individual claiming that 2.7.7 does not fix the problem and unrelated to anything having to do with older versions still not working or MSN not acknowledging or fixing the actual problem.

Many of the people in this ticket were being constructive and attempting to help. The specific person being spoken too was not (at least not in a useful or friendly way).

comment:119 follow-up: Changed 6 years ago by internet100

Version 2.7.7 worked for less than 5 days.

As I said earlier, I have 5 msn accounts. 2 are old (1999,2005), 3 are new.

the 2 old accounts havent connected last week due to certificate error. now has another error, but the debug window shows that it is another kind of certificate error.

Some attempts:

(20:24:44) gnutls/x509: Bad signature from DC = com, DC = microsoft, DC = corp, DC = redmond, CN = Microsoft Secure Server Authority on C = U.S., ST = WA, L = Redmond, O = MSN, MSN Contact OU = Services, CN =*. contacts.msn.com (20:24:44) gnutls: Dropping further queries peer certificates because the chain is broken!

and now...:

(20:57:36) proxy: Error connecting to omega.contacts.msn.com: 443 (Connection timed out). (20:57:36) proxy: Connection attempt failed: Connection timed out (20:57:36) msn: Operation {} failed. No response received from server.

.... if i try any of my 3 new accounts, it connects, and its very fast =/

comment:120 in reply to: ↑ 119 Changed 6 years ago by nosnilmot

Replying to internet100:

Version 2.7.7 worked for less than 5 days.

As I said earlier, I have 5 msn accounts. 2 are old (1999,2005), 3 are new.

Age of accounts is irrelevant, these errors happen before the server knows anything about which account is connecting.

Some attempts:

(20:24:44) gnutls/x509: Bad signature from DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=U.S.,ST=WA,L=Redmond,O=MSN,OU=MSN Contact Services,CN=*.contacts.msn.com
(20:24:44) gnutls: Dropping further queries peer certificates because the chain is broken!

There's no error here, this is behaving correctly given the broken certificate chain the servers present. That's assuming you copied and pasted the log correctly, but you didn't because pidgin will never log "Dropping further queries peer certificates..." (I don't know where the word "queries" comes from in that, and the spacing in the previous log entry was wrong).

and now...:

(20:57:36) proxy: Error connecting to omega.contacts.msn.com: 443 (Connection timed out).
(20:57:36) proxy: Connection attempt failed: Connection timed out
(20:57:36) msn: Operation {} failed. No response received from server.

This is a network problem, nothing to do with Pidgin or certificates, your computer simply times out establishing a connection to the relevant server.

Most likely you have the wrong proxy config (or other account settings) for the accounts that do not work.

comment:121 Changed 6 years ago by nosnilmot

PS. (some) MSN servers (specifically omega.contacts.msn.com) are currently intermittently unavailable, so that's more likely why you get a connection timeout at the moment. Maybe they're fixing the certificates? :)

comment:122 Changed 6 years ago by surak

This issue is NOT fixed by this release. It must be reopened.

comment:123 Changed 6 years ago by johnroberts

Issue is properly handled by Pidgin 2.7.7 with NSS. (ironic, the Windows version :\ ) Cannot check for GnuTLS, since I cannot recompile ATM, and no binaries available.

Still no news at all from Microsoft concerning this... (no surprise there...)

Suggestion: Would it be possible to modify code in future Pidgin versions as to enable a configuration option from the user's side to use GnuTLS or NSS, without having to recompile from scratch?

comment:124 Changed 6 years ago by surak

I don know about nss. On linux it does not work at all.

comment:125 in reply to: ↑ 108 Changed 6 years ago by heckur

Replying to nosnilmot:

Replying to guru:

The problem still exists in 2.7.7

Please see my follow up to your email on the support mailing list about this : http://pidgin.im/pipermail/support/2010-November/009045.html

Felt the need to say that this follow up made my pidgin work without problems. Using pidgin 2.7.7 with libpurple 2.7.7 (Ubuntu 9.04) and it has not thrown the certificate issue anymore. I hope it's not about luck .

comment:126 Changed 6 years ago by mama21mama

A tener en cuenta; a veces dice que los servidores están mal. http://status.live.com/

comment:127 Changed 6 years ago by QuLogic

This bug has been fixed to the best of our knowledge. It will not be re-opened unless you provide both the output of pidgin --version and a corresponding debug log of the failing connection or similar proof (Stating "it doesn't work" is not proof).

Please note that the MSN servers were experiencing problems yesterday. If your debug log or error message says "Connection refused" or "Connection timed out", or anything that doesn't mention certificates (even if it mentions omega.contacts.msn.com), then it is not the same as this bug.

comment:128 Changed 6 years ago by rekkanoryo

Ticket #13049 has been marked as a duplicate of this ticket.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!