I am getting the following error on Pidgin 2.10.10-3.fc20 (libpurple 2.10.10).
How can I force it to accept an invalid certificate?
(According to this bug report it should be capable).
Here's what I have done:
seahorse (gnome keyring GUI)
As alternative you can download the ssl certificate by hand. Afterwards pidgin starts without problems. To download the certificate you can use openssl command line utility.
~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER
When the above command fails with "no peer certificate available" then maybe the server uses STARTTLS instead of SSL. In this case use the following command:
~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER -starttls xmpp
Now copy the part beginning with "----BEGIN CERTIFICATE----". If you print the content of the certificate file it looks like the following:
~/.purple/certificates/x509/tls_peers$ cat jabber.ulm.ccc.de
-----BEGIN CERTIFICATE-----
MIIFXDCCA0QCCQCa5jxvwccm0DANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJE
RTEMMAoGA1UEBxMDVWxtMRUwEwYDVQQLEwxDQ0MgRXJmYSBVbG0xGjAYBgNVBAMT
EWphYmJlci51bG0uY2NjLmRlMSAwHgYJKoZIhvcNAQkBFhFqYWJiZXJAdWxtLmNj
...
3EIpMVk3V1djyj0FEuDaG/o+6BTLCiIMiIUFtbpVz8YZChHbv8ObMJ5JpUIkDfKZ
si1YZKpUYwpVXgTCUml67lArx/sq95OQsDSO3fR1Ch0=
-----END CERTIFICATE-----
Turns out it there's a bug with certificates in Pidgin 2.10.10 (libpurple 2.10.10):
In version 2.10.10 it's no longer possible to connect to a XMPP server which uses a self signed SSL certificate. The error message is: The certificate for could not be validated. The certificate chain presented is invalid.
The connection is possible if the server certificate is already in the local cache (.purple\certificates\x509\tls_peers). If the certificate is not cached yet (e.g. after a fresh windows/pidgin installation) the connection fails.
Upgrading to 2.10.11 fixes the issue. If you're using an older Ubuntu version like me, you can use the PPA (12.04, 14.04 and 14.10)
Another workaround is to import the name of the server specified in the error like myserver.chat.com. For example:
Open the Firefox browser and put the URL: HTTPS://mysever.chat.com, you'll get an error:
Select, Advanced option then Add Exception. A popup for the certificate will open.
Then click Advanced -> Details -> Export
Save the certificate somewhere
Open Pidgin, go to Tools -> Certificates -> Add
Now save the certificate with the same common name as the error in the beginning.
Finally, try to reconnect.
Easy Way,
Windows: %appdata%\.purple)
(Linux: /home/<Username>/.purple/certificates/x509/tls_peers)P.S: Windows users who aren’t familiar with %appdata% just type %appdata%\.purple in your address bar and press enter.
You can use Pidgin-developers PPA to resolve it. I installed pidgin packages and libpurple from that source and it solved my problem with accessing Lync 2013 resources. Now it can automatically allow certificates (show dialog to accept or reject unknown certificate). Have you tried that? If you used 15.04 there is also a workaround to download a few packages and replace old ones with new. I tested it on 15.04 already, it works.
I was able to get around the certificate issue by manually replacing it with a saved copy a couple of times. Stopped working after that, and upgrading to 2.11 didn't seem to help.
If you build from source, one thing to try is to modify the source code for libpurple/certificates.c ; moving the PURPLE_CERTIFICATE_FATALS_MASK check under the PURPLE_CERTIFICATE_NON_FATALS_MASK check to prompt the user but allow the certificate if accepted. Probably not the safest thing to do, but worked for me.
