Opened 3 years ago

Last modified 3 years ago

#17027 new enhancement

Pidgin gives "Unknown Host" error on certificate error on xmpp

Reported by: hjheins Owned by: deryni
Milestone: Component: XMPP
Version: 2.10.12 Keywords: ssl tls certificate error unknown host
Cc:

Description

When pidgin connects to a client that has an expired or otherwise false certificate, it displays an "Unknown Host" error message. It does so in both the gui as the debug window. Though in the debug it is actually possible to see that the DNS resolving works. This makes troubleshooting a certificate issue actually quite hard.

Steps to reproduce: take an expired or otherwise false certificate on your xmpp server, and try to connect. (in my case I used ejabberd with an expired/old certificate).

Please change this so that the error will be a bit more helpful.

thanks.

Attachments (1)

Pidgin_debug_connect_on_false_ssl_cert.txt (17.7 KB) - added by hjheins 3 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 3 years ago by dx

  • Status changed from new to pending

Can't reproduce. Grabbed some random server from https://xmpp.net/list.php with grade F and expired certificate, got this:

Accept certificate for herrschaftsfrei.org?

The certificate for herrschaftsfrei.org could not be validated.

The certificate is not trusted because no certificate that can verify it is currently trusted. The certificate has expired and should not be considered valid. Check that your computer's date and time are accurate

Do you have debug logs of this? Also, what operating system / distro?

Changed 3 years ago by hjheins

comment:2 Changed 3 years ago by hjheins

  • Status changed from pending to new

Attachment (Pidgin_debug_connect_on_false_ssl_cert.txt) added by ticket reporter.

comment:3 Changed 3 years ago by hjheins

Please find attached the debug log. This happened after upgrading a Debian Wheezy to Debian Jessie install on the server (ejabberd). For some reason the installer leaves the pem file alone, which created the issue. Had the upgrade also reinstalled/changed/upgraded the pem file, all would have been well. The solution in the end was to run dpkg-reconfigure ejabberd to generate a new certificate. After this, the system ran perfectly again.

comment:4 Changed 3 years ago by dx

Is this the same log when it said "Unknown Host"? All I see is "Server closed the connection"

I tried setting my system date to the future and connecting to that server, got this:

Accept certificate for jabber.passys.nl?

The certificate for jabber.passys.nl could not be validated.

The certificate claims to be from "ejabberd" instead. This could mean that you are not connecting to the service you believe you are.

The certificate is not trusted because no certificate that can verify it is currently trusted.

The certificate has expired and should not be considered valid. Check that your computer's date and time are accurate

Which looks completely normal. Honestly this sounds like a server misconfiguration, not an issue with pidgin.

comment:5 Changed 3 years ago by hjheins

This is not the same log as when it said "unknown host". However the problem is the same in that sense that in the pidgin debug information, I see an unable to connect. However the problem is an expired ssl certificate.

I agree that technically the problem is clearly with ejabberd. However, and this is the part I am not sure about: I would expect to get an error message about an expired certificate. (as you wrote in your comment).

I am not sure what creates the unable to connect message in the pidgin debug; if it is pidgin, it would be nice to have a better message to at least show it is ssl related. But I guess if this is coming directly from ejabberd, I should go and file a bug there.

thank you.

comment:6 Changed 3 years ago by dx

The point is that it's not just an expired certificate, but some SSL related misconfiguration that is resulting in abnormally terminating the connection during the handshake - and it's the server that is closing the connection, pidgin doesn't even get to throw NSS errors.

If you can reproduce this issue and confirm that it works with other clients but not with pidgin, that might be worth looking at. But it seems it's already fixed on the server side?

comment:7 Changed 3 years ago by hjheins

The weird thing is that the ejabberd configuration is fine. The fix is running "dpkg-reconfigure ejabberd". This command defines the hostname (which I do not change), and it generates the certificate file (only in case the old one is removed first). After doing this, I get a connection and the system runs.

I will check with other clients to see if I get the same or different behaviour.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!