Project

General

Profile

Feature #6174

Feature #5909: Pidgin should rely on the cached certificates

Test Pidgin SSL validation in Debian Jessie

Added by intrigeri over 6 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/19/2013
Due date:
% Done:

100%

Feature Branch:
Type of work:
Test
Blueprint:
Starter:
Yes
Affected tool:
Instant Messaging

Description

In Tails 0.19, the certificate shipped for jabber.ccc.de has expired. Pidgin silently uses it and replaces it with the new one in the cache.

It is still the case in Jessie?


Related issues

Related to Tails - Feature #6117: Audit Pidgin Confirmed

History

#1 Updated by intrigeri over 6 years ago

  • Subject changed from Test Pidgin's SSL validation in sid to Test Pidgin SSL validation in Debian unstable

See parent ticket for details of what should be tested, and what's the expected behavior.

#2 Updated by BitingBird about 6 years ago

  • Description updated (diff)

Copying the task description from the parent ticket, since this ticket is marked as easy :)

#3 Updated by BitingBird almost 6 years ago

  • Description updated (diff)

Clarifying task

#4 Updated by intrigeri over 5 years ago

  • Category set to 213

#5 Updated by BitingBird about 5 years ago

#6 Updated by BitingBird almost 5 years ago

  • Description updated (diff)

#7 Updated by BitingBird almost 5 years ago

Should this be a hole in the roof? It's high since a year...

#8 Updated by intrigeri almost 5 years ago

Should this be a hole in the roof?

Yes, perhaps. Note that anyone running current testing/sid (e.g. Jessie) can take care of it, no need to do it in Tails itself.

#9 Updated by BitingBird over 4 years ago

  • Subject changed from Test Pidgin SSL validation in Debian unstable to Test Pidgin SSL validation in Debian Jessie
  • Target version set to Hole in the Roof

Correcting description (Jessie is not unstable anymore) + hole in the roof

#10 Updated by sajolida over 4 years ago

  • Assignee set to sajolida

#11 Updated by sajolida about 4 years ago

  • Assignee deleted (sajolida)

Actually, I'm not sure how to do this.

#12 Updated by intrigeri about 4 years ago

  • Assignee set to sajolida

Actually, I'm not sure how to do this.

  1. start Tails
  2. put an expired certificate for $server in ~/.purple/certificates/x509/tls_peers/, e.g. taking those we removed in d2e0f312638e25e1c6b7a7fc2feccfbe0d6ca8da ; take note of the checksums of this certificate
  3. start Pidgin
  4. configure an account connecting to $server, enable it
  5. report back what happens: any certificate -related warning?
  6. check if files changed in ~/.purple/certificates/x509/tls_peers/, report back about it

#13 Updated by spriver almost 4 years ago

intrigeri wrote:

Actually, I'm not sure how to do this.

  1. start Tails
  2. put an expired certificate for $server in ~/.purple/certificates/x509/tls_peers/, e.g. taking those we removed in d2e0f312638e25e1c6b7a7fc2feccfbe0d6ca8da ; take note of the checksums of this certificate
  3. start Pidgin
  4. configure an account connecting to $server, enable it
  5. report back what happens: any certificate -related warning?
  6. check if files changed in ~/.purple/certificates/x509/tls_peers/, report back about it

Using an old certificate for jabber.ccc.de I'm getting a certificate error of Pidgin (resp. asking if I want to accept it because it could not be validated and that it can be accepted, rejected or the certificate can be shown.) Accepting it anyway will successfully connect to the server, afterwards the up-to date and right certificate is available in the certificate folder.

#14 Updated by sajolida almost 4 years ago

  • Assignee changed from sajolida to intrigeri
  • QA Check set to Info Needed

I did the test with irc.indymedia.org on Tails 2.2.1:

  1. I checked out d9cbdfc.
  2. I copied config/chroot_local-includes/etc/skel/.purple/certificates/x509/tls_peers/irc.indymedia.org onto ~/.purple/certificates/x509/tls_peers/irc.indymedia.org.
  3. I checked with vimdiff that the contents were the same.
  4. I started Pidgin and connected to #riseup on irc.indymedia.org. This went through without any warning or notification whatsoever.
  5. I checked with vimdiff the difference between config/chroot_local-includes/etc/skel/.purple/certificates/x509/tls_peers/irc.indymedia.org and ~/.purple/certificates/x509/tls_peers/irc.indymedia.org and saw that they were completely different.

So yes, Piding silently updated the SSL certificate.

I'll let you interpret this and I'm lost after that...

#15 Updated by intrigeri almost 4 years ago

  • Status changed from Confirmed to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 0 to 100
  • QA Check changed from Info Needed to Pass

So, apparently Pidgin will sometime ask the user what to do about a certificate change, and sometimes it won't. It might be that the XMPP plugin does more validation than the IRC one, I've not looked further. Anyway, this confirms that the problem the parent ticket is about still exists.

#16 Updated by BitingBird almost 4 years ago

  • Target version deleted (Hole in the Roof)

It's resolved, so I remove the "Hole in the Roof" target version :)

#17 Updated by intrigeri over 1 year ago

  • Priority changed from High to Normal

Also available in: Atom PDF