#910 closed defect (fixed)

libpurple module should remember accepted SSL certificates

Reported by: luke@… Owned by: wilmer
Priority: normal Milestone:
Component: Purple Version: 3.0.4
Keywords: SSL Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro: Ubuntu 11.10


19:06 <@Luke> account jabber on 19:06 <@JeBuS> jabber - Logging in: Connecting 19:06 <@JeBuS> jabber - Logging in: Initialising Stream 19:06 <@JeBuS> jabber - Logging in: Initialising SSL/TLS 19:06 <@JeBuS> New request: Request: SSL Certificate Verification 19:06 <@JeBuS> 19:06 <@JeBuS> Accept certificate for xmppserver? 19:06 <@JeBuS> 19:06 <@JeBuS> The certificate for xmppserver could not be validated. 19:06 <@JeBuS> 19:06 <@JeBuS> The certificate is self-signed and cannot be automatically checked. 19:06 <@JeBuS> You can use the yes/no commands to accept/reject this request.

Is there a way to trust this certificate? if not maybe have a yes/no/remember?

Attachments (0)

Change History (13)

comment:1 Changed at 2012-02-07T23:34:54Z by wilmer

Component: BitlBeePurple
Owner: set to wilmer
Summary: Ability to accept SSL certs?libpurple module should remember accepted SSL certificates

This looks like libpurple. I'm not sure why this state doesn't get saved but fixing it is not a priority.

Hopefully they're sane and just use some file in /etc/ssl/. In which case you just add your cert there and libpurple will be happy.

comment:2 Changed at 2012-02-07T23:55:55Z by luke@…

/etc/ssl/ indeed does seem to work.

Thay'll do for now. Thanks Wilmer.

comment:3 Changed at 2012-02-08T10:32:54Z by luke@…

Hmm, in hindsight, it doesn't seem to be.

comment:4 Changed at 2012-02-08T22:57:33Z by luke@…

OK, worked this one out.

bitlbee-libpurple uses /var/lib/bitlbee/purple to create local purple folders for all the bitlbee users, so mine looks like

drwx------ 3 bitlbee bitlbee 4.0K 2012-02-04 11:55 certificates drwx------ 2 bitlbee bitlbee 24K 2012-02-08 22:51 icons drwx------ 3 bitlbee bitlbee 4.0K 2012-02-08 22:51 lsheldrick drwx------ 4 bitlbee bitlbee 4.0K 2012-02-08 22:53 Luke drwx------ 2 bitlbee bitlbee 4.0K 2012-02-04 11:55 mbpurple -rw------- 1 bitlbee bitlbee 8.6K 2012-02-08 22:52 prefs.xml -rw------- 1 bitlbee bitlbee 390 2012-02-04 12:28 status.xml

certificates was empty, so went to see how say pidgin or finch added the certificates. If you accept them, they get added to your local .purple directory under .purple/certificates/x509/tls_peers/$cert

Copying the cert & path that pidgin created under the user folder in /var/lib/bitlbee/purple/$user, or just in /var/lib/bitlbee/purple/certificates (for server wide acceptance), and restarting bitlbee seems to have done the job.

So I guess, adding the yes/no/remember option wouldn't be too hard, all bitlbee would need to do is save the cert under /var/lib/bitlbee/purple/$user/certificates/x509/tls_peers/$cert.

Feel free to mark this as resolved, I seemed to have worked it out myself :)

comment:5 Changed at 2012-02-08T23:37:14Z by Wilmer van der Gaast <wilmer@…>

There's probably some way in which BitlBee could have libpurple do that. I'll leave this bug open for eventually figuring that out.

But also, it must be getting its list of default CAs from somewhere. I very much hope it doesn't come with a built-in list of approved CAs...

comment:6 Changed at 2012-04-13T14:53:37Z by anonymous

The fix listed does not work with IRSSI as IRSSI does not create and ~/.purple file hierarchy. Using the pidgin-sipe plugin on the latest bitlbee daily build in squeeze (for use with OCS).

comment:7 Changed at 2013-12-07T12:04:47Z by flexibeast@…

Bump. i'm finding this issue most frustrating. i've gone away from BitlBee for several hours and have come back to 150+ questions in my qlist, for only two accounts, asking if i want to accept certificates i've manually accepted many times before. i've tried the approach suggested in comment 4, above, but it didn't work.

(Being able to manually clear all questions in the qlist with a single command, e.g. 'qlist clear', would at least help me work around the issue ....)

comment:8 Changed at 2013-12-07T12:09:28Z by wilmer

Understood, but the libpurple module is only somewhat supported. I'll need someone to figure out why this is broken to begin with, I'm trying to keep my hands off that code myself.

comment:9 Changed at 2014-02-28T14:34:02Z by anonymous

This is still the worst part about using bitlbee for me.

comment:10 in reply to:  9 Changed at 2014-04-06T17:08:15Z by anonymous

Replying to anonymous:

This is still the worst part about using bitlbee for me.

Bump. The fly in the ointment.

comment:11 Changed at 2014-05-16T21:27:22Z by anonymous

1) If you know the Lync server you're connecting to you should be able to pull the cert down using your browser and then save it. cert files are just plain text.

2) The latest bitlbee accepts the cert if you stick it in the user specific folder, but not if you leave it in the global folder only. On Arch this is: /var/lib/bitlbee/purple/USERNAME/certificates/x509/tls_peers

comment:12 Changed at 2014-06-02T18:26:25Z by anonymous

Hah, that worked ... i.e

$ sudo mkdir -p /var/lib/bitlbee/purple/$USER/certificates/x509/tls_peers

$ sudo cp ~/.purple/certificates/x509/tls_peers/* /var/lib/bitlbee/purple/$USER/certificates/x509/tls_peers

$ sudo chown bitlbee:bitlbee /var/lib/bitlbee/purple/$USER/certificates

(captcha attempt #5, new private tab)

Modify Ticket

as closed The owner will remain wilmer.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.