Bug 509942 - Unable to connect to MSN with Pidgin 2.5.8-1.fc11
Summary: Unable to connect to MSN with Pidgin 2.5.8-1.fc11
Alias: None
Product: Fedora
Classification: Fedora
Component: pidgin
Version: 11
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Warren Togami
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-07-07 02:28 UTC by scoobydooxp
Modified: 2009-11-10 03:36 UTC (History)
3 users (show)

Fixed In Version: 2.5.8-2.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-11-10 03:36:34 UTC

Attachments (Terms of Use)

Description scoobydooxp 2009-07-07 02:28:59 UTC
Description of problem:
Unable to connect to MSN with Pidgin 3.5.8-1.fc11

Version-Release number of selected component (if applicable):

How reproducible:
Setup an account that uses MSN

Steps to Reproduce:
1. Create Account in Pidgin that uses MSN as the protocol
2. Attempt to connect
Actual results:
The following error pops up:
Invalid certificate authority signature - The certificate chain presented by login.live.com does not have a valid digital signature from the Certificate Authority from which it claims to have a signature.

Expected results:
It should connect without the error.

Additional info:
No problems connecting using the MSN protocol with Pidgin 3.5.8 in other flavors of Linux or Windows. #Pidgin IRC seems to think this is a Fedora only issue as they have not heard of this before Fedora 11.

Comment 1 Stu Tomlinson 2009-07-10 16:48:45 UTC
This is due to latest NSS disabling weak hash algorithms in signatures by default.

<darkrain42> nosnilmot: FYI, the nss in Fedora 11 fails to validate the root CA that MSN is signed by because that CA is self-signed using MD2 as the hash.
<nosnilmot> darkrain42: interesting - NSS in Fedora doesn't support MD2 ?
<darkrain42> NSS 3.12.3 (the most recent *point release*) removes it: http://www.mozilla.org/projects/security/pki/nss/nss-3.12.3/nss-3.12.3-release-notes.html (look for NSS_ALLOW_WEAK_SIGNATURE_ALG).

A temporary workaround you should be able to use would be to set the environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" to any non-empty string before launching Pidgin.

Comment 2 Warren Togami 2009-07-11 23:10:10 UTC
How is MSN still working on my Fedora 11 x86_64 system?

Comment 3 Stu Tomlinson 2009-07-12 16:58:16 UTC
(In reply to comment #2)
> How is MSN still working on my Fedora 11 x86_64 system?  

Your Pidgin probably cached the verified certificate for login.live.com when using an earlier version of NSS (~/.purple/certificates/x509/tls_peers/login.live.com), so does not need to verify the whole chain.

Comment 4 Fedora Update System 2009-07-12 17:42:43 UTC
pidgin-2.5.8-2.fc11 has been submitted as an update for Fedora 11.

Comment 5 scoobydooxp 2009-07-13 00:03:58 UTC
pidgin-2.5.8-2.fc11 works perfectly. Thank you!

Comment 6 Fedora Update System 2009-07-16 07:32:37 UTC
pidgin-2.5.8-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pidgin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7679

Comment 7 Fedora Update System 2009-07-22 21:49:51 UTC
pidgin-2.5.8-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Pekka Savola 2009-07-27 09:43:19 UTC
For some reason, this was not enough for me; I was having the same error.  I had to install the two certificates from http://developer.pidgin.im/ticket/9682 and put them in /usr/share/purple/ca-certs/.  I'm reopening, but feel free to close again if I'm completely off-track.

Comment 9 Warren Togami 2009-11-09 20:17:07 UTC
Still an issue with pidgin-2.6.3?

Comment 10 Pekka Savola 2009-11-09 20:35:42 UTC
I suppose not: all files I currently have in /usr/share/purple/ca-certs are owned by libpurple package, and MSN works fine.

Note You need to log in before you can comment on or make changes to this bug.