Trac is being migrated to new services! Issues can be found in our new YouTrack instance and WIKI pages can be found on our website.

Version 22 (modified by mmcco, 9 years ago) (diff)

Anyone using Debian Woody has bigger problems

Frequently Asked Questions About SSL

This information was compiled by Stu Tomlinson with much help from #pidgin.

Many of the library and application versions mentioned below are out of date and potentially have security vulnerabilities, the information may however still be helpful for getting current releases installed in your environment.

Why can't I use OpenSSL for SSL support in libpurple?

The OpenSSL license is not compatible with the libpurple license (GPLv2). The Free Software Foundation maintains a list of open-source licenses and details their compatibility or incompatibility with the GPL. The OpenSSL license is discussed there.

In summary: you need GNUTLS or Mozilla NSS and NSPR; OpenSSL will not do.

General Notes

Libpurple needs to be compiled with SSL support in order to work with MSN, Yahoo, Novell GroupWise, and some Jabber/XMPP servers which support or require it, such as Google Talk. You will need either GNUTLS and all its dependencies or Mozilla NSS and NSPR.

Mozilla 1.5 will not provide all the pieces for NSPR and NSS due to breakage in the Mozilla build system that prevents the installation of some header (.h) files. You might be able to install mozilla-{nss,nspr}{,-devel} from mozilla 1.4, or install NSS from source, in parallel and link against those for libpurple. Or just use GNUTLS.

Distribution-specific Notes

Debian

Use the Debian packages. If you want to compile from source, run apt-get build-dep pidgin. This will grab all Pidgin's dependencies. If you want to install specific SSL libraries for libpurple, try apt-get install libgnutls-dev or apt-get install libnss3-dev, which will install the corresponding binary packages automatically as dependencies.

Fedora Core < 16

Please upgrade to a more recent distribution and use the distribution provided packages

FreeBSD 5.1

Compile from source. See the notes below. As we understand it, GNUTLS no longer works for FreeBSD users; Pidgin will work fine with the NSS from ports (nss-3.8):

~$ cd /usr/ports/net/pidgin ; make WITHOUT_GNUTLS=t WITH_NSS=t WITHOUT_AUDIO=t package clean

Gentoo

Gentoo's Pidgin ebuilds should "Just Work." Before you do anything, sync your Portage package database:

~$ emerge sync

The most recent Pidgin version is usually not in Gentoo stable right away. To ensure you are using the most recent release in Portage, you may add the following line to /etc/portage/package.keywords, using ~ppc, ~sparc, etc instead of ~x86 if you are not using the x86 architecture:

net-im/pidgin ~x86

Portage will build and install the NSS and NSPR packages automatically if you do not have them. Alternatively, if you add the following line to /etc/portage/package.use, Portage will automatically use GNUTLS instead of Mozilla NSS, building and installing GNUTLS if necessary:

net-im/pidgin gnutls

After you are satisfied with your configuration, run the following command to install the latest version available in Portage, along with any needed dependencies:

emerge pidgin

Also, don't forget that emerge is not a transitive verb!

Linux From Scratch

If you're not able to figure this out on your own already, see the notes below on compiling from source.

Mac OS X

You will need to compile from source. Use GNUTLS. Information on GNUTLS with OS X can be found here.

OpenBSD 3.4

Compile from source. See the notes below for GNUTLS versions that have been reported to work.

Red Hat Linux 9 and earlier

Please join this century and upgrade to a newer distribution, such as the current release of Fedora.

Slackware 9.1, 10, and 10.1

There are sometimes third-party packages for these Slackware distributions here.

If you would like to build Pidgin from source, and have Mozilla installed, you can try the following. Note that if Mozilla 1.4 is not your installed version, you will need to replace that with the correct version number. Also, at some point, Mozilla 1.7.5 was removed from Slackware-Current and replaced with Mozilla Firefox. This will probably change the exact location for the paths listed.

~/pidgin$ ./configure --with-nss-includes=/usr/include/mozilla-1.4/nss \
> --with-nspr-includes=/usr/include/mozilla-1.4/nspr \
> --with-nss-libs=/usr/lib/mozilla-1.4 \
> --with-nspr-libs=/usr/lib/mozilla-1.4

Also, you'll need to add /usr/lib/mozilla-1.4 (again replacing versions as appropriate) to /etc/ld.so.conf and run ldconfig as root.

Firefox also includes the necessary libraries, so if you have a binary package of Pidgin that was built with SSL support you may be able to add /usr/lib/firefox to /etc/ld.so.conf and run ldconfig as root.

Solaris

Blastwave provides third-party packages for Solaris. Also, builds of Solaris Express should contain Pidgin builds in the near future. (After build 65)

If you use Blastwave's packages and get the error "Fatal: no entropy gathering module detected," make sure that you have installed the Solaris /dev/random patch (Solaris 8 (sparc): 112438, (x86): 112439) and that /dev/random is world-readable.

If you decide to compile from source, make sure you use gmake. If you use Sun's compilers make sure to set CC and other env variables to point to the location of the C compiler. Note that SunStudio12 compilers include an option to provide links for the tools in /usr and this works quite well.

SuSE 8.2, 9.0, 9.1, 9.2, and 9.3

Third-party RPMs for these SuSE distributions are often available here. These RPMs use GNUTLS for SSL support, but GNUTLS is not provided in SuSE 8.2 or 9.0. Users of these distributions will need to also install GNUTLS, OpenCDK, and libtasn1 from the same site. SuSE 9.1 and later provide GNUTLS, and SuSE's provided GNUTLS should be used on these distributions.

If you wish to use Mozilla NSS with Pidgin, you will need to compile from source using these NSS packages from the same site as the Pidgin RPMs.

Ubuntu Feisty (7.04) and Gusty (7.10)

Uninstall any previous versions of Pidgin using apt, Synaptic, or similar. Then install the libnss3-dev package with Synaptic or apt-get install libnss3-dev. Now re-run ./configure, make, make install. Alternatively, use apt-get build-dep gaim (or pidgin on Gusty, although gaim will work) to get all of Pidgin's dependencies, then rebuild Pidgin.

Ubuntu 4.10 (Warty), 5.04 (Hoary), 5.10 (Breezy), 6.06 (Dapper), 6.10 (Edgy)

Uninstall any previous versions of Pidgin using apt, Synaptic, or similar. Then install the libgnutls10-dev package with Synaptic or apt-get install libgnutls10-dev. Now re-run ./configure, make, make install. Alternatively, use apt-get build-dep gaim to get all of Pidgin's dependencies, then rebuild Pidgin.

Windows

Use the Pidgin provided binaries, or follow the Building Windows Pidgin instructions to the letter.

Compiling From Source

I strongly recommend you use pre-packaged binaries where possible, however if you MUST use source, these tips might help you. Either GNUTLS or Mozilla NSS and NSPR will work. I've witnessed more success with NSS and NSPR.

Mozilla NSS and NSPR

Get the NSS and NSPR source package (despite its name, the package includes both NSS and NSPR).

Once NSS and NSPR are built and installed, run Pidgin's configure script similarly to this (replace $INCDIR with the directory the .h files are in and replace $LIBDIR with the directory the .so files are in):

~/pidgin$ ./configure --with-nspr-includes=$INCDIR --with-nspr-libs=$LIBDIR \
> --with-nss-includes=$INCDIR --with-nss-libs=$LIBDIR

If you can't add to /etc/ld.so.conf (or your *nix OS doesn't have one), set the environment variable LD_LIBRARY_PATH instead, either before running Pidgin or (for Bourne and bash shells) on the Pidgin command line, like so:

(csh)
~$ setenv LD_LIBRARY_PATH /usr/lib/mozilla-1.4

(sh/bash)
~$ LD_LIBRARY_PATH=/usr/lib/mozilla-1.4 ; export LD_LIBRARY_PATH

(sh/bash on Pidgin command line)
~$ LD_LIBRARY_PATH=/usr/lib/mozilla-1.4 pidgin

If you have multiple versions of Mozilla installed, you might have some problems with which version is detected by ./configure and which libs are used at runtime. This is because, by default, ./configure uses pkg-config to find the Mozilla NSS and NSPR libs and includes. If you explicitly specify the Mozilla libs and includes to use with the --with-{nss,nspr}-{includes,libs} options to ./configure then pkg-config will not be used, and you might have more success.

The notes below on installing NSS and NSPR as non-root will probably be helpful, even if not exactly what you want.

GNUTLS

IRC user sofar provided this information. You need to compile things in a specific order here--start with libgpg-error, then move onto libgcrypt (which needs libgpg-error), then libtasn1. Once these three are installed, install GNUTLS.

Libopencdk has proven to be a PITA in some respects; don't use it, as it will break GNUTLS. Version 0.9.92 of GNUTLS doesn't compile because the maintainer forgot to include a needed file. Other versions such as 0.9.91 should work fine.

You shouldn't need the --with-gnutls-{includes,libs} arguments to ./configure, as the libs get installed to good locations by default. If you have put GNUTLS in an unusual location, you're on your own there. ;)

For FreeBSD and OpenBSD users, GNUTLS 0.8.10 works, but 0.8.6 doesn't (thanks, synic).

The notes below on installing GNUTLS as non-root may also be helpful, even if not exactly what you want.

Non-root Including Mozilla NSS and NSPR

Download the NSS and NSPR source and extract it. Then do:

~$ cd nss-3.9.2/mozilla/security/nss
nss-3.9.2/mozilla/security/nss$ make nss_build_all
nss-3.9.2/mozilla/security/nss$ make install

The Mozilla build system defaults to using the OS-supplied cc even if it's not in the path. If you're compiling on Solaris (and possibly other Unixes), you'll need to force the build to use gcc using the following commands instead:

nss-3.9.2/mozilla/security/nss$ NS_USE_GCC=1 make nss_build_all
nss-3.9.2/mozilla/security/nss$ NS_USE_GCC=1 make install

On systems where make is not GNU make, use gmake. The above commands will build the libraries without optimizations and with debugging enabled. To build optimized libraries, use these commands instead:

nss-3.9.2/mozilla/security/nss$ make BUILD_OPT=1 nss_build_all
nss-3.9.2/mozilla/security/nss$ make BUILD_OPT=1 install

To install the libraries and necessary headers, do the commands in the following block, but note that they require GNU find and GNU cp. These GNU tools can be found on Sunfreeware.com in the findutils and coreutils packages, respectively. Remember to make sure either that the GNU utilities are in your path before the OS versions or that you explicitly give the full path to the GNU utilities for all of the commands below.

nss-3.9.2/mozilla/security/nss$ mkdir -p $HOME/lib
nss-3.9.2/mozilla/security/nss$ mkdir -p $HOME/include/nspr
nss-3.9.2/mozilla/security/nss$ find ../../dist/*/lib -type l \
> \( -name "*.so" -o -name "*.chk" \) \
> -exec cp -L {} $HOME/lib \;
nss-3.9.2/mozilla/security/nss$ cp -Lr ../../dist/public/* $HOME/include
nss-3.9.2/mozilla/security/nss$ cp -Lr ../../dist/*/include/* $HOME/include/nspr

Now, to compile Pidgin, do the following after downloading and extracting the source:

~/pidgin$ ./configure --prefix=$HOME --with-nss-includes=$HOME/include/nss \
> --with-nspr-includes=$HOME/include/nspr --with-nss-libs=$HOME/lib \
> --with-nspr-libs=$HOME/lib
~/pidgin$ make
~/pidgin$ make install

After the above, you should be able to use Pidgin by running $HOME/bin/pidgin. In some cases it may be necessary to set LD_LIBRARY_PATH=$HOME/lib before running Pidgin.

Non-root Including GNUTLS

These instructions have been tested using the exact same versions of libraries specified in the GNUTLS section above, with the sole exception of libtasn1. GNUTLS includes a version of libtasn1 which seems to work. Install the libraries as follows.

libgpg-error:

~/libgpg-error$ ./configure --prefix=$HOME
~/libgpg-error$ make
~/libgpg-error$ make install

libgcrypt:

# fix the configure script!
~/libgcrypt$ perl -pi -e 's/ --prefix=\$gpg_error_config_prefix//' configure
~/libgcrypt$ ./configure --prefix=$HOME --with-gpg-error-prefix=$HOME
~/libgcrypt$ make
~/libgcrypt$ make install

GNUTLS:

~/gnutls$ LD_LIBRARY_PATH=$HOME/lib ./configure --prefix=$HOME --with-libgcrypt=$HOME
~/gnutls$ make
~/gnutls$ make install

Pidgin:

~/pidgin$ ./configure --prefix=$HOME --enable-gnutls=yes \
> --with-gnutls-libs=$HOME/lib --with-gnutls-includes=$HOME/include
~/pidgin$ make
~/pidgin$ make install

You should now be able to use Pidgin by running $HOME/bin/pidgin. In some cases, it might be necessary to set LD_LIBRARY_PATH=$HOME/lib before running Pidgin.

Troubleshooting

./configure

./configure will print summary information at the end of its execution that tells you what SSL implementation will be used. You will get one of these four lines:

SSL Library/Libraries......... : None.  MSN, Novell Groupwise and Google Talk will not work without GnuTLS or NSS. OpenSSL is NOT usable!
SSL Library/Libraries......... : Mozilla NSS
SSL Library/Libraries......... : GnuTLS
SSL Library/Libraries......... : Mozilla NSS and GnuTLS

It should be fairly obvious that if it says "None," SSL will not work for you. Fix that by making sure you're passing the right --with-xxx-libs and --with-xxx-includes as described above or that you have the correct -dev or -devel packages installed, also as described above where applicable. Make sure you do this before you even bother to run make.

Compiling

If ./configure said it was going to compile with SSL but the make fails to build, it is likely you have a broken installation of the chosen SSL libs. If you did not specify any --with-xxx-libs or --with-xxx-includes when running configure, try explicitly pointing it at your SSL libs and includes. If it still fails during make, you should probably try the other SSL option and explicitly disable the one that failed with --enable-nss=no or --enable-gnutls=no` as appropriate.

Runtime

If you've managed to build Pidgin with SSL support reported by ./configure and no build failures, but when running it still complains, there are a few things you can try.

Make sure that you only have one copy of Pidgin installed, it is possible that there is another one in your path that does not have SSL support. You can check which Pidgin is being run with "which pidgin", or you can be sure to run the version you've just compiled by specifying the full path to it. Note: ./configure will warn you if it finds an old version of Pidgin already installed.

If you are sure that you are running your freshly compiled Pidgin, check Pidgin's SSL plugin is actually linked to the necessary libs. If you compiled with Mozilla NSS, you can do this (replace /usr/local with the prefix you installed to):

~$ ldd /usr/local/lib/purple/ssl-nss.so
libnsl.so.1 => /lib/libnsl.so.1 (0x40023000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

That one is NOT linked against NSS, and will not work. Go back to the beginning and try again (or, if you also compiled with GnuTLS, keep reading).

~$ ldd /usr/local/lib/purple/ssl-nss.so
libnss3.so => /usr/lib/libnss3.so (0x4004e000)
libsmime3.so => /usr/lib/libsmime3.so (0x400b0000)
libssl3.so => /usr/lib/libssl3.so (0x400d0000)
libsoftokn3.so => /usr/lib/libsoftokn3.so (0x400f0000)
libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40155000)
libdl.so.2 => /lib/libdl.so.2 (0x401a5000)
libnsl.so.1 => /lib/libnsl.so.1 (0x401a8000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libplc4.so => /usr/lib/libplc4.so (0x401bf000)
libplds4.so => /usr/lib/libplds4.so (0x401c4000)
libnspr4.so => /usr/lib/libnspr4.so (0x401c7000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

That one is linked against the necessary things, and all libs were found. If any of the bits on the right say "not found", then the compile worked but the libs cannot be found by the dynamic loader. See notes above about /etc/ld.so.conf, ldconfig and the LD_LIBRARY_PATH environment variable.

If you compiled with GnuTLS (or both), the steps to check the purple SSL plugin are similar to above, except the file to check is ssl-gnutls.so. The output should look like this if all is good:

~$ ldd /usr/local/lib/purple/ssl-gnutls.so
libgnutls.so.8 => /usr/lib/libgnutls.so.8 (0x40003000)
libgcrypt.so.7 => /usr/lib/libgcrypt.so.7 (0x4005e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x400c6000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libz.so.1 => /usr/lib/libz.so.1 (0x400dc000)
libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x400ea000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

For completeness, here's the output if it can't find some of the libs:

libgnutls.so.8 => not found
libgcrypt.so.7 => not found
libnsl.so.1 => /lib/libnsl.so.1 (0x002b7000)
libc.so.6 => /lib/tls/libc.so.6 (0x004f4000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x0088d000)
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!