Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#15468 closed defect (fixed)

Certificate Popup for Windows Live Messenger

Reported by: Zian Owned by: QuLogic
Milestone: 2.10.7 Component: MSN
Version: 2.10.6 Keywords:
Cc:

Description

When I started Pidgin, I got a popup asking me to accept or reject a certificate for local-bay.contacts.msn.com.

This shouldn't happen.

Steps to Reproduce:

  1. Set up Pidgin with a Windows Live Messenger account.
  2. Exit Pidgin
  3. Start Pidgin.

Attachments (5)

Screenshot.png (37.2 KB) - added by Zian 4 years ago.
Screenshot of the dialog
certificate.pem (2.6 KB) - added by Zian 4 years ago.
Saved certificate via Pidgin
purple-debug.log (15.5 KB) - added by dephekt 4 years ago.
local-blu-people.directory.live.com.pem (2.6 KB) - added by dephekt 4 years ago.
The certificate returning no CA error
Baltimore_CyberTrust_Root.pem (1.3 KB) - added by QuLogic 4 years ago.
Missing Baltimore CyberTrust Root certificate

Download all attachments as: .zip

Change History (21)

Changed 4 years ago by Zian

Screenshot of the dialog

Changed 4 years ago by Zian

Saved certificate via Pidgin

comment:1 Changed 4 years ago by Zian

I can provide a debug window dump but it has sensitive information so I'm hesitant to do so.

comment:2 Changed 4 years ago by QuLogic

  • Status changed from new to pending

Please follow the instructions to get a debug log and attach it to this ticket.
You can remove the contact list if you don't want to post it. It's not important for this problem.

comment:3 Changed 4 years ago by tkalfaoglu

I suspect we are all getting this today.. I already deleted all the M$-related certificates from Pidgin's Tools menu, and downloaded the 2010 certificates that I found at the help files. It did not help..

I also downloaded the latest source, 2.10.6, compiled, and still no luck. same error.

I have the debug log, but likewise I'm hesitant to upload it here. Is there an private channel where I can post/mail it?

Last edited 4 years ago by tkalfaoglu (previous) (diff)

comment:4 Changed 4 years ago by Tywin

I suspect tkalfaoglu is right. I am seeing the same thing on 2.10.4, though my certificate verification is for "local-blu-people.directory.live.com":

Common name: contacts.msn.com Fingerprint (SHA1): f6:56:e3:29:84:86:8b:6b:38:fd:e4:aa:70:1a:00:4a:33:4d:ba:04 Activation date: Fri Jan 11 11:47:08 2013 Expiration date: Sun Jan 11 11:47:08 2015

comment:5 Changed 4 years ago by QuLogic

I currently have the certificate with matching fingerprint and dates to the one Tywin posted. However, I don't get a prompt to accept it. The one Zian originally posted does not seem to be the same, and is possibly the older one?

Are you all using Windows perhaps?

comment:6 follow-up: Changed 4 years ago by tkalfaoglu

I'm on Linux, Fedora 17..

comment:7 Changed 4 years ago by Tywin

I am using Windows 7 64-bit. I checked the certificate in Chrome, which had no complaints about it, so I have now accepted it. The dialog does not re-appear when exiting and re-starting Pidgin.

Changed 4 years ago by dephekt

comment:8 Changed 4 years ago by dephekt

I added my debug log, but truncated the address book server reply from the tail. From the local-blu-people.directory.live.com cert check, this seemed relevant:

Checking for a CA with DN=CN=Baltimore CyberTrust? Root,OU=CyberTrust?,O=Baltimore,C=IE Also checking for a CA with DN=CN=Baltimore CyberTrust? Root,OU=CyberTrust?,O=Baltimore,C=IE No Certificate Authorities with either DN found found.[sic] I'll prompt the user, I guess.

This is from a Windows 7 Pro SP1 64-bit machine.

Last edited 4 years ago by dephekt (previous) (diff)

Changed 4 years ago by dephekt

The certificate returning no CA error

comment:9 Changed 4 years ago by QuLogic

Ticket #15470 has been marked as a duplicate of this ticket.

comment:10 in reply to: ↑ 6 Changed 4 years ago by QuLogic

Replying to tkalfaoglu:

I'm on Linux, Fedora 17..

I'm a little confused as to why it doesn't work on Fedora 17. Did you compile Pidgin yourself?

Changed 4 years ago by QuLogic

Missing Baltimore CyberTrust Root certificate

comment:11 Changed 4 years ago by QuLogic

It appears that not only has Microsoft changed intermediate certificates (before the old ones even are even close to expiring, no less), they also changed the root certificate that signs the chain.

I have attached the missing Baltimore CyberTrust Root certificate that should verify the chain. If you trust me, then you can copy it to /usr/share/purple/ca-certs on Linux or C:\Program Files\Pidgin\ca-certs on Windows (it may differ a bit if you installed somewhere else).

If you don't trust me, you can get this certificate out of Firefox: Edit->Preferences->Advanced tab->Encryption tab->View Certificates->Authorities tab. Scroll down to Baltimore CyberTrust Root (it's classified as a "Builtin Object Token"), then Export it and put it in the directory indicated above. It is likely that Chrome or Internet Explorer also ship this root certificate, but I do not know how to get it out of them.

comment:12 Changed 4 years ago by Elliott Sales de Andrade <qulogic@…>

  • Milestone set to 3.0.0
  • Resolution set to fixed
  • Status changed from pending to closed

(In [229a0269fc04]):
Add the Baltimore CyberTrust? Root certificate.

This certificate is the root that now signs the chain sent from the MSN contact servers.

Fixes #15468.

comment:13 Changed 4 years ago by Elliott Sales de Andrade <qulogic@…>

  • Milestone changed from 3.0.0 to 2.10.7

(In [673056a91e3b]):
Add the Baltimore CyberTrust? Root certificate.

This certificate is the root that now signs the chain sent from the MSN contact servers.

Fixes #15468.

comment:14 Changed 4 years ago by QuLogic

Ticket #15473 has been marked as a duplicate of this ticket.

comment:15 Changed 4 years ago by Maniac

To get the certificate from "Internet Explorer" (basically, from Microsoft's Certificate Store), Start > Run > mmc.exe File > Add/Remove? Snap-in Certificates > Add > My User Account > OK hit OK Certificates - Current User > Trusted Root Certification Authorities > Certificates Right click Baltimore CyberTrust? Root > All Tasks > Export Next > Base64 Encoded X.509 (.cer) Save it to your desktop. Rename it so it ends in .pem rather than .cer. Copy it to C:\Program Files\Pidgin\ca-certs

comment:16 Changed 4 years ago by datallah

Ticket #15474 has been marked as a duplicate of this ticket.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!