Opened 14 months ago

Last modified 3 months ago

#17275 new enhancement

Need option to ignore certificate errors

Reported by: plarkinjr Owned by: deryni
Milestone: Component: XMPP
Version: 2.12.0 Keywords: SSL Certificate nss
Cc: mattenklicker

Description

Applies to:

  • 2.12.0 on Windows 7
  • 2.10.9 on ubuntu 14.04
  • XMPP (corporate Cisco Jabber server behind VPN)

If user is presented a broken certificate, there is no way to "ignore" the error and connect anyway.

Error messages:

  • Popup "SSL Certificate Error" - Unable to validate certificate. the certificate for blah.corp.com could not be validated. the certificate chain presented is invalid.
  • Debug window:
  • (14:39:12) nss: ERROR -8101: SEC_ERROR_INADEQUATE_CERT_TYPE
  • (14:39:12) nss: ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
  • bottom of Buddy List: "SSL peer presented an invalid certificate"

Pidgin previously worked on my company's server, but the certificate expired, and they re-issued a new one. Unfortunately, it has this chain problem. I cannot get my IT department to fix their broken CA chain (They only care if Cisco's Jabber client works). It would be nice if I could just tell Pidgin "Yeah, I know, but accept it anyway". At least then I could run Pidgin again.

other XMPP Clients which work with this server and it's broken certificates (if configured to ignore certificate errors): gajim, spark, pandion & Cisco Jabber

Attachments (1)

Screenshot_2017-12-21_1417.jpg (501.6 KB) - added by plarkinjr 14 months ago.
screenshot of errors

Download all attachments as: .zip

Change History (2)

Changed 14 months ago by plarkinjr

screenshot of errors

comment:1 Changed 3 months ago by mattenklicker

I get exactly the same error with Cisco Jabber. The problem is probably that the CN of the certificate does not match the hostname (which is the case here). And pidgin does check only the CN and not the hostnames in Subject Alternative Name: https://bitbucket.org/pidgin/main/src/0489ab8d380234a6f9bd32b3ad0ae9aa2edcaa1d/libpurple/certificate.h?at=release-2.x.y&fileviewer=file-view-default#certificate.h-286: "For X.509, this is the "Common Name" field, as we're only using it"

"openssl s_client -showcerts -connect host:5222 -starttls xmpp" shows no error.

BTW: If you use gnutls instead of nss you get a popup to ignore the certificate failure.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!