Opened at 2012-02-05T19:07:58Z
Closed at 2015-11-26T05:25:32Z
#910 closed defect (fixed)
libpurple module should remember accepted SSL certificates
| Reported by: | Owned by: | wilmer | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Purple | Version: | 3.0.4 |
| Keywords: | SSL | Cc: | |
| IRC client+version: | Client-independent | Operating System: | Linux |
| OS version/distro: | Ubuntu 11.10 |
Description
19:06 <@Luke> account jabber on 19:06 <@JeBuS> jabber - Logging in: Connecting 19:06 <@JeBuS> jabber - Logging in: Initialising Stream 19:06 <@JeBuS> jabber - Logging in: Initialising SSL/TLS 19:06 <@JeBuS> New request: Request: SSL Certificate Verification 19:06 <@JeBuS> 19:06 <@JeBuS> Accept certificate for xmppserver? 19:06 <@JeBuS> 19:06 <@JeBuS> The certificate for xmppserver could not be validated. 19:06 <@JeBuS> 19:06 <@JeBuS> The certificate is self-signed and cannot be automatically checked. 19:06 <@JeBuS> You can use the yes/no commands to accept/reject this request.
Is there a way to trust this certificate? if not maybe have a yes/no/remember?
Attachments (0)
Change History (13)
comment:1 Changed at 2012-02-07T23:34:54Z by
| Component: | BitlBee → Purple |
|---|---|
| Owner: | set to wilmer |
| Summary: | Ability to accept SSL certs? → libpurple module should remember accepted SSL certificates |
comment:2 Changed at 2012-02-07T23:55:55Z by
/etc/ssl/ indeed does seem to work.
Thay'll do for now. Thanks Wilmer.
comment:4 Changed at 2012-02-08T22:57:33Z by
OK, worked this one out.
bitlbee-libpurple uses /var/lib/bitlbee/purple to create local purple folders for all the bitlbee users, so mine looks like
drwx------ 3 bitlbee bitlbee 4.0K 2012-02-04 11:55 certificates drwx------ 2 bitlbee bitlbee 24K 2012-02-08 22:51 icons drwx------ 3 bitlbee bitlbee 4.0K 2012-02-08 22:51 lsheldrick drwx------ 4 bitlbee bitlbee 4.0K 2012-02-08 22:53 Luke drwx------ 2 bitlbee bitlbee 4.0K 2012-02-04 11:55 mbpurple -rw------- 1 bitlbee bitlbee 8.6K 2012-02-08 22:52 prefs.xml -rw------- 1 bitlbee bitlbee 390 2012-02-04 12:28 status.xml
certificates was empty, so went to see how say pidgin or finch added the certificates. If you accept them, they get added to your local .purple directory under .purple/certificates/x509/tls_peers/$cert
Copying the cert & path that pidgin created under the user folder in /var/lib/bitlbee/purple/$user, or just in /var/lib/bitlbee/purple/certificates (for server wide acceptance), and restarting bitlbee seems to have done the job.
So I guess, adding the yes/no/remember option wouldn't be too hard, all bitlbee would need to do is save the cert under /var/lib/bitlbee/purple/$user/certificates/x509/tls_peers/$cert.
Feel free to mark this as resolved, I seemed to have worked it out myself :)
comment:5 Changed at 2012-02-08T23:37:14Z by
There's probably some way in which BitlBee could have libpurple do that. I'll leave this bug open for eventually figuring that out.
But also, it must be getting its list of default CAs from somewhere. I very much hope it doesn't come with a built-in list of approved CAs...
comment:6 Changed at 2012-04-13T14:53:37Z by
The fix listed does not work with IRSSI as IRSSI does not create and ~/.purple file hierarchy. Using the pidgin-sipe plugin on the latest bitlbee daily build in squeeze (for use with OCS).
comment:7 Changed at 2013-12-07T12:04:47Z by
Bump. i'm finding this issue most frustrating. i've gone away from BitlBee for several hours and have come back to 150+ questions in my qlist, for only two accounts, asking if i want to accept certificates i've manually accepted many times before. i've tried the approach suggested in comment 4, above, but it didn't work.
(Being able to manually clear all questions in the qlist with a single command, e.g. 'qlist clear', would at least help me work around the issue ....)
comment:8 Changed at 2013-12-07T12:09:28Z by
Understood, but the libpurple module is only somewhat supported. I'll need someone to figure out why this is broken to begin with, I'm trying to keep my hands off that code myself.
comment:9 follow-up: 10 Changed at 2014-02-28T14:34:02Z by
This is still the worst part about using bitlbee for me.
comment:10 Changed at 2014-04-06T17:08:15Z by
Replying to anonymous:
This is still the worst part about using bitlbee for me.
Bump. The fly in the ointment.
comment:11 Changed at 2014-05-16T21:27:22Z by
1) If you know the Lync server you're connecting to you should be able to pull the cert down using your browser and then save it. cert files are just plain text.
2) The latest bitlbee accepts the cert if you stick it in the user specific folder, but not if you leave it in the global folder only. On Arch this is: /var/lib/bitlbee/purple/USERNAME/certificates/x509/tls_peers
comment:12 Changed at 2014-06-02T18:26:25Z by
Hah, that worked ... i.e
$ sudo mkdir -p /var/lib/bitlbee/purple/$USER/certificates/x509/tls_peers
$ sudo cp ~/.purple/certificates/x509/tls_peers/* /var/lib/bitlbee/purple/$USER/certificates/x509/tls_peers
$ sudo chown bitlbee:bitlbee /var/lib/bitlbee/purple/$USER/certificates
(captcha attempt #5, new private tab)
comment:13 Changed at 2015-11-26T05:25:32Z by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
This looks like libpurple. I'm not sure why this state doesn't get saved but fixing it is not a priority.
Hopefully they're sane and just use some file in /etc/ssl/. In which case you just add your cert there and libpurple will be happy.