Feature #6174

Test Pidgin SSL validation in Debian Jessie

Added by intrigeri 2013-07-19 09:35:37 . Updated 2018-08-19 09:48:03 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2013-07-19
Due date:
% Done:

100%

Feature Branch:
Type of work:
Test
Blueprint:

Starter:
1
Affected tool:
Instant Messaging
Deliverable for:

Description

In Tails 0.19, the certificate shipped for jabber.ccc.de has expired. Pidgin silently uses it and replaces it with the new one in the cache.

It is still the case in Jessie?

Subtasks

Related issues

Related to Tails - Feature #6117: Audit Pidgin Confirmed

History

#1 Updated by intrigeri 2013-10-04 05:21:24

  • Subject changed from Test Pidgin's SSL validation in sid to Test Pidgin SSL validation in Debian unstable

See parent ticket for details of what should be tested, and what’s the expected behavior.

#2 Updated by BitingBird 2014-03-24 04:23:15

  • Description updated

Copying the task description from the parent ticket, since this ticket is marked as easy :)

#3 Updated by BitingBird 2014-06-20 13:22:27

  • Description updated

Clarifying task

#4 Updated by intrigeri 2014-08-12 13:54:26

  • Category set to 213

#5 Updated by BitingBird 2015-01-04 03:48:41

#6 Updated by BitingBird 2015-04-10 14:36:20

  • Description updated

#7 Updated by BitingBird 2015-04-10 14:37:07

Should this be a hole in the roof? It’s high since a year…

#8 Updated by intrigeri 2015-04-11 09:54:06

> Should this be a hole in the roof?

Yes, perhaps. Note that anyone running current testing/sid (e.g. Jessie) can take care of it, no need to do it in Tails itself.

#9 Updated by BitingBird 2015-08-25 13:47:03

  • Subject changed from Test Pidgin SSL validation in Debian unstable to Test Pidgin SSL validation in Debian Jessie
  • Target version set to Hole in the Roof

Correcting description (Jessie is not unstable anymore) + hole in the roof

#10 Updated by sajolida 2015-11-03 12:09:24

  • Assignee set to sajolida

#11 Updated by sajolida 2016-02-01 11:24:04

  • Assignee deleted (sajolida)

Actually, I’m not sure how to do this.

#12 Updated by intrigeri 2016-02-02 12:55:50

  • Assignee set to sajolida

> Actually, I’m not sure how to do this.

  1. start Tails
  2. put an expired certificate for $server in ~/.purple/certificates/x509/tls_peers/, e.g. taking those we removed in commit:d2e0f312638e25e1c6b7a7fc2feccfbe0d6ca8da ; take note of the checksums of this certificate
  3. start Pidgin
  4. configure an account connecting to $server, enable it
  5. report back what happens: any certificate -related warning?
  6. check if files changed in ~/.purple/certificates/x509/tls_peers/, report back about it

#13 Updated by spriver 2016-04-04 20:23:20

intrigeri wrote:
> > Actually, I’m not sure how to do this.
>
> # start Tails
> # put an expired certificate for $server in ~/.purple/certificates/x509/tls_peers/, e.g. taking those we removed in commit:d2e0f312638e25e1c6b7a7fc2feccfbe0d6ca8da ; take note of the checksums of this certificate
> # start Pidgin
> # configure an account connecting to $server, enable it
> # report back what happens: any certificate -related warning?
> # check if files changed in ~/.purple/certificates/x509/tls_peers/, report back about it

Using an old certificate for jabber.ccc.de I’m getting a certificate error of Pidgin (resp. asking if I want to accept it because it could not be validated and that it can be accepted, rejected or the certificate can be shown.) Accepting it anyway will successfully connect to the server, afterwards the up-to date and right certificate is available in the certificate folder.

#14 Updated by sajolida 2016-04-25 11:53:02

  • Assignee changed from sajolida to intrigeri
  • QA Check set to Info Needed

I did the test with irc.indymedia.org on Tails 2.2.1:

  1. I checked out d9cbdfc.
  2. I copied config/chroot_local-includes/etc/skel/.purple/certificates/x509/tls_peers/irc.indymedia.org onto ~/.purple/certificates/x509/tls_peers/irc.indymedia.org.
  3. I checked with vimdiff that the contents were the same.
  4. I started Pidgin and connected to #riseup on irc.indymedia.org. This went through without any warning or notification whatsoever.
  5. I checked with vimdiff the difference between config/chroot_local-includes/etc/skel/.purple/certificates/x509/tls_peers/irc.indymedia.org and ~/.purple/certificates/x509/tls_peers/irc.indymedia.org and saw that they were completely different.

So yes, Piding silently updated the SSL certificate.

I’ll let you interpret this and I’m lost after that…

#15 Updated by intrigeri 2016-04-29 02:45:32

  • Status changed from Confirmed to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 0 to 100
  • QA Check changed from Info Needed to Pass

So, apparently Pidgin will sometime ask the user what to do about a certificate change, and sometimes it won’t. It might be that the XMPP plugin does more validation than the IRC one, I’ve not looked further. Anyway, this confirms that the problem the parent ticket is about still exists.

#16 Updated by BitingBird 2016-06-29 05:27:49

  • Target version deleted (Hole in the Roof)

It’s resolved, so I remove the “Hole in the Roof” target version :)

#17 Updated by intrigeri 2018-08-19 09:48:03

  • Priority changed from High to Normal