Opened 10 years ago

Closed 9 years ago

Last modified 9 years ago

#5366 closed patch (fixed)

Feature request: SSL over AIM/ICQ/.Mac with server slogin.oscar.aol.com being supported

Reported by: akin Owned by: MarkDoliner
Milestone: 2.5.5 Component: AIM
Version: 2.4.0 Keywords: AIM, ICQ, dot mac, .Mac, SSL, slogin.oscar.aol.com
Cc: anthony.kinyon+pidginsuggestion@…, lid, datallah

Description

The latest iChat from Apple supports SSL over AIM/ICQ/.Mac using port 5190 and server slogin.oscar.aol.com . According to the people over at http://trac.adiumx.com/ticket/9474 Adium, it seems that libpurple presently disallows user specification to use SSL (does not offer the option) nor does it offer using a custom port. This would be more secure so can the appropriate option(s) please be made available? Thank you.

Attachments (6)

part1.patch (18.7 KB) - added by darkrain42 9 years ago.
part2.patch (6.1 KB) - added by darkrain42 9 years ago.
part3.patch (3.0 KB) - added by darkrain42 9 years ago.
single-big-one.patch (22.5 KB) - added by darkrain42 9 years ago.
VeriSign_International_Server_Class_3_CA.pem (1.2 KB) - added by darkrain42 9 years ago.
Intermediate CA that signs the AOL server certs
part4-server-settings.patch (4.3 KB) - added by darkrain42 9 years ago.
Fix the 'user must manually change the connect server' issue

Download all attachments as: .zip

Change History (17)

comment:1 Changed 10 years ago by akin

More info from the Adium side of this is at http://trac.adiumx.com/ticket/9553 .

Changed 9 years ago by darkrain42

Changed 9 years ago by darkrain42

Changed 9 years ago by darkrain42

Changed 9 years ago by darkrain42

comment:2 Changed 9 years ago by darkrain42

I've attached a set of patches that implement this (against i.p.p head). The single-big-one is simply all three rolled into one.

This code should work just like iChat w/ SSL enabled. The one problem is that validation doesn't fully work because there's an intermediate certificate missing from the trusted stores:

O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

comment:3 Changed 9 years ago by darkrain42

Forgot to mention: I'd love for this patch to get some more testing beyond mey testing (It works with my ICQ and AIM accounts and I could join a chat room and talk and all that)

comment:4 Changed 9 years ago by darkrain42

Errr, last updated before I sleep: as-is, the code for figuring out what server to connect to is wonky/broken/bad. You must hard-code it to slogin.oscar.aol.com on the advanced account settings page.

I guess the logic for that should probably go something like:

if (ssl is enabled && account setting is one of the ones that have been default in Pidgin [login.messaging.aol.com, login.oscar.aol.com])
    connect_host = use slogin.oscar.aol.com
    update the account setting to reflect slogin.oscar.aol.com (maybe?)
else
    connect_host = account setting

(hopefully that means something to someone else, too)

comment:5 Changed 9 years ago by MarkDoliner

  • Type changed from enhancement to patch

Changed 9 years ago by darkrain42

Intermediate CA that signs the AOL server certs

comment:6 Changed 9 years ago by darkrain42

Attached the intermediate CA cert needed for the AOL servers. It is signed by the Verisign_Class3_Primary_CA (included w/ Pidgin already).

$ openssl verify -CApath /nonexistent -CAfile Verisign_Class3_Primary_CA.pem VeriSign_International_Server_Class_3_CA.pem 
VeriSign_International_Server_Class_3_CA.pem: OK
$

(the nonexistent path part is in there because openssl will otherwise verify against /etc/openssl/certs and the requisite verisign cert is already there)

Changed 9 years ago by darkrain42

Fix the 'user must manually change the connect server' issue

comment:7 Changed 9 years ago by darkrain42

Implement a sane mechanism for switching an OSCAR account to SSL.

The user checks the box and, if their login server is one of the default ones used in libpurple, change it to the SSL server. If the user unchecks the box, change it back.

I'm not happy with this, but it works. It might be sensible to adjust our connecting server and not change the account option.

comment:8 Changed 9 years ago by lid

Thanks for contributing this patch darkrain42; I look forward to seeing it in a release soon.

comment:9 Changed 9 years ago by darkrain42

  • Resolution set to fixed
  • Status changed from new to closed

This is committed to monotone on the im.pidgin.cpw.darkrain42.oscar.ssl branch. Closing since monotone-trac integration doesn't like me.

comment:10 Changed 9 years ago by paul@…

(In e94a3f67048ab9654d2e9cd4edaa60f5aa023f62):
Provide the intermediate certificate needed to verify AOL's server certificates since the servers don't return a full chain.

Closes #5366

comment:11 Changed 9 years ago by darkrain42

  • Milestone set to 2.5.5

Mark merged the branch into im.pidgin.pidgin.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!