Red Hat Bugzilla – Bug 509942
Unable to connect to MSN with Pidgin 2.5.8-1.fc11
Last modified: 2009-11-09 22:36:34 EST
Description of problem:
Unable to connect to MSN with Pidgin 3.5.8-1.fc11
Version-Release number of selected component (if applicable):
Setup an account that uses MSN
Steps to Reproduce:
1. Create Account in Pidgin that uses MSN as the protocol
2. Attempt to connect
The following error pops up:
Invalid certificate authority signature - The certificate chain presented by login.live.com does not have a valid digital signature from the Certificate Authority from which it claims to have a signature.
It should connect without the error.
No problems connecting using the MSN protocol with Pidgin 3.5.8 in other flavors of Linux or Windows. #Pidgin IRC seems to think this is a Fedora only issue as they have not heard of this before Fedora 11.
This is due to latest NSS disabling weak hash algorithms in signatures by default.
<darkrain42> nosnilmot: FYI, the nss in Fedora 11 fails to validate the root CA that MSN is signed by because that CA is self-signed using MD2 as the hash.
<nosnilmot> darkrain42: interesting - NSS in Fedora doesn't support MD2 ?
<darkrain42> NSS 3.12.3 (the most recent *point release*) removes it: http://www.mozilla.org/projects/security/pki/nss/nss-3.12.3/nss-3.12.3-release-notes.html (look for NSS_ALLOW_WEAK_SIGNATURE_ALG).
A temporary workaround you should be able to use would be to set the environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" to any non-empty string before launching Pidgin.
How is MSN still working on my Fedora 11 x86_64 system?
(In reply to comment #2)
> How is MSN still working on my Fedora 11 x86_64 system?
Your Pidgin probably cached the verified certificate for login.live.com when using an earlier version of NSS (~/.purple/certificates/x509/tls_peers/login.live.com), so does not need to verify the whole chain.
pidgin-2.5.8-2.fc11 has been submitted as an update for Fedora 11.
pidgin-2.5.8-2.fc11 works perfectly. Thank you!
pidgin-2.5.8-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update pidgin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7679
pidgin-2.5.8-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
For some reason, this was not enough for me; I was having the same error. I had to install the two certificates from http://developer.pidgin.im/ticket/9682 and put them in /usr/share/purple/ca-certs/. I'm reopening, but feel free to close again if I'm completely off-track.
Still an issue with pidgin-2.6.3?
I suppose not: all files I currently have in /usr/share/purple/ca-certs are owned by libpurple package, and MSN works fine.