Bug 509942 - Unable to connect to MSN with Pidgin 2.5.8-1.fc11
Unable to connect to MSN with Pidgin 2.5.8-1.fc11
Product: Fedora
Classification: Fedora
Component: pidgin (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Warren Togami
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2009-07-06 22:28 EDT by scoobydooxp
Modified: 2009-11-09 22:36 EST (History)
3 users (show)

See Also:
Fixed In Version: 2.5.8-2.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-09 22:36:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description scoobydooxp 2009-07-06 22:28:59 EDT
Description of problem:
Unable to connect to MSN with Pidgin 3.5.8-1.fc11

Version-Release number of selected component (if applicable):

How reproducible:
Setup an account that uses MSN

Steps to Reproduce:
1. Create Account in Pidgin that uses MSN as the protocol
2. Attempt to connect
Actual results:
The following error pops up:
Invalid certificate authority signature - The certificate chain presented by login.live.com does not have a valid digital signature from the Certificate Authority from which it claims to have a signature.

Expected results:
It should connect without the error.

Additional info:
No problems connecting using the MSN protocol with Pidgin 3.5.8 in other flavors of Linux or Windows. #Pidgin IRC seems to think this is a Fedora only issue as they have not heard of this before Fedora 11.
Comment 1 Stu Tomlinson 2009-07-10 12:48:45 EDT
This is due to latest NSS disabling weak hash algorithms in signatures by default.

<darkrain42> nosnilmot: FYI, the nss in Fedora 11 fails to validate the root CA that MSN is signed by because that CA is self-signed using MD2 as the hash.
<nosnilmot> darkrain42: interesting - NSS in Fedora doesn't support MD2 ?
<darkrain42> NSS 3.12.3 (the most recent *point release*) removes it: http://www.mozilla.org/projects/security/pki/nss/nss-3.12.3/nss-3.12.3-release-notes.html (look for NSS_ALLOW_WEAK_SIGNATURE_ALG).

A temporary workaround you should be able to use would be to set the environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" to any non-empty string before launching Pidgin.
Comment 2 Warren Togami 2009-07-11 19:10:10 EDT
How is MSN still working on my Fedora 11 x86_64 system?
Comment 3 Stu Tomlinson 2009-07-12 12:58:16 EDT
(In reply to comment #2)
> How is MSN still working on my Fedora 11 x86_64 system?  

Your Pidgin probably cached the verified certificate for login.live.com when using an earlier version of NSS (~/.purple/certificates/x509/tls_peers/login.live.com), so does not need to verify the whole chain.
Comment 4 Fedora Update System 2009-07-12 13:42:43 EDT
pidgin-2.5.8-2.fc11 has been submitted as an update for Fedora 11.
Comment 5 scoobydooxp 2009-07-12 20:03:58 EDT
pidgin-2.5.8-2.fc11 works perfectly. Thank you!
Comment 6 Fedora Update System 2009-07-16 03:32:37 EDT
pidgin-2.5.8-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pidgin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7679
Comment 7 Fedora Update System 2009-07-22 17:49:51 EDT
pidgin-2.5.8-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Pekka Savola 2009-07-27 05:43:19 EDT
For some reason, this was not enough for me; I was having the same error.  I had to install the two certificates from http://developer.pidgin.im/ticket/9682 and put them in /usr/share/purple/ca-certs/.  I'm reopening, but feel free to close again if I'm completely off-track.
Comment 9 Warren Togami 2009-11-09 15:17:07 EST
Still an issue with pidgin-2.6.3?
Comment 10 Pekka Savola 2009-11-09 15:35:42 EST
I suppose not: all files I currently have in /usr/share/purple/ca-certs are owned by libpurple package, and MSN works fine.

Note You need to log in before you can comment on or make changes to this bug.