如何使Pidgin始终接受过期的证书?


8

我的工作使用本地XMPP服务器(Wildfire,现在称为Openfire)。使用Pidgin客户端时,它总是询问我是否应接受无效(过期)的证书。

在此处输入图片说明

我想让Pidgin始终接受它而不问我。如何在XMPP服务器上不安装新证书的情况下执行此操作?

我试图将证书导入到我的个人存储和受信任的根存储中,但是仍然出现相同的提示。证书也存储在中%APPDATA%\.purple\certificates\x509\tls_peers,但是我仍然得到提示。

这是连接后的调试日志:

Pidgin Debug Log : 10/4/2016 12:05:16 PM
(12:05:05) account: Connecting to account example@192.168.1.21/.
(12:05:05) connection: Connecting. gc = 04528D78
(12:05:05) dnssrv: querying SRV record for 192.168.1.21: _xmpp-client._tcp.192.168.1.21
(12:05:05) dnssrv: Couldn't look up SRV record. The filename, directory name, or volume label syntax is incorrect. (123).
(12:05:05) dnsquery: Performing DNS lookup for 192.168.1.21
(12:05:05) dnsquery: IP resolved for 192.168.1.21
(12:05:05) proxy: Attempting connection to 192.168.1.21
(12:05:05) proxy: Connecting to 192.168.1.21:5222 with no proxy
(12:05:05) proxy: Connection in progress
(12:05:05) proxy: Connecting to 192.168.1.21:5222.
(12:05:05) proxy: Connected to 192.168.1.21:5222.
(12:05:05) jabber: Sending (example@192.168.1.21): <?xml version='1.0' ?>
(12:05:05) jabber: Sending (example@192.168.1.21): <stream:stream to='192.168.1.21' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(12:05:05) jabber: Recv (579): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="192.168.1.21" id="da08260e" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
(12:05:05) jabber: Sending (example@192.168.1.21): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(12:05:05) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(12:05:05) nss: SSL version 3.1 using 128-bit AES with 160-bit SHA1 MAC
Server Auth: 2048-bit RSA, Key Exchange: 1024-bit DHE, Compression: NULL
Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(12:05:05) nss: subject=CN=Unknown,OU=Unknown,O=REDACTED,L=REDACTED,ST=REDACTED,C=US issuer=CN=Unknown,OU=Unknown,O=REDACTED,L=REDACTED,ST=REDACTED,C=US
(12:05:05) certificate/x509/tls_cached: Starting verify for 192.168.1.21
(12:05:05) certificate/x509/tls_cached: Certificate 192.168.1.21 expired at Mon Aug 29 09:54:35 2016

(12:05:05) certificate/x509/tls_cached: Checking for cached cert...
(12:05:05) certificate/x509/tls_cached: ...Found cached cert
(12:05:05) nss/x509: Loading certificate from C:\Users\example\AppData\Roaming\.purple\certificates\x509\tls_peers\192.168.1.21
(12:05:05) certificate/x509/tls_cached: Peer cert matched cached
(12:05:07) util: Writing file accounts.xml to directory C:\Users\example\AppData\Roaming\.purple
(12:05:07) util: Writing file C:\Users\example\AppData\Roaming\.purple\accounts.xml
(12:05:07) util: Writing file blist.xml to directory C:\Users\example\AppData\Roaming\.purple
(12:05:07) util: Writing file C:\Users\example\AppData\Roaming\.purple\blist.xml
(12:05:07) certificate/x509/tls_cached: User ACCEPTED cert
Caching first in chain for future use as 192.168.1.21...
(12:05:07) nss/x509: Exporting certificate to C:\Users\example\AppData\Roaming\.purple\certificates\x509\tls_peers\192.168.1.21
(12:05:07) util: Writing file C:\Users\example\AppData\Roaming\.purple\certificates\x509\tls_peers\192.168.1.21
(12:05:07) nss: Trusting CN=Unknown,OU=Unknown,O=REDACTED,L=REDACTED,ST=REDACTED,C=US
(12:05:07) certificate: Successfully verified certificate for 192.168.1.21

您是否尝试过查看证书并将其安装到Windows证书存储中?
埃文·达尔文

是的,但是Pidgin会抛出相同的错误消息。

2
打开Debug Window(帮助->调试窗口),连接到服务器并Accept在证书对话框中选择。在“调试”窗口中可能有一些与证书相关的消息。您可以将日志附加到原始问题。接受的证书应存储在中%APPDATA%\.purple\certificates\x509\tls_peers。尝试查看是否存在与服务器名称相同的文件。
ge0rdi

1
我有坏消息。我正在查看Pidgin的源代码(您的日志对代码流的定位很有帮助),但似乎对于过期(或尚未生效)的证书总会提示您。如果已接受证书,则不会报告所有其他证书错误。我建议将此问题报告给开发者的Pidgin 这里
ge0rdi

1
实际上,在Pidgin 票务系统中报告了过期证书的问题。通常的答案是服务器的证书必须是固定的。
ge0rdi

Answers:


7

不幸的是,不可能永久接受过期的证书(至少不是当前最新版本的Pidgin 2.11.0)。

官方Pigdin问题跟踪系统中有很多关于此问题的报告。通常的答案是必须修复服务器的证书。

也可以在Pidgin 来源中进行确认:
证书验证始于x509_tls_cached_start_verify。对于过期的证书,PURPLE_CERTIFICATE_EXPIRED设置了标志。
如果在缓存中找到证书,x509_tls_cached_cert_in_cache则调用。它验证实际的证书指纹与高速缓存和调用中的指纹是否匹配x509_tls_cached_complete
此函数执行以下操作之一:

  • 通知用户证书无效(如果存在致命证书问题)
  • 让用户决定是否接受/拒绝证书(如果存在非致命问题;证书过期则属于这种情况)
  • 如果证书没有问题,则继续进行而没有任何提示

没有办法跳过有关过期证书的警告(除了修正证书本身)。


0

什么@ ge0rdi说的是对的,但你可以尝试下载手动的SSL证书。这样做会使pidgin在未经许可的情况下启动:)

使用以下命令:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER 

如果失败,请在命令后附加-starttls xmpp,如下所示:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER -starttls xmpp

将文件放在以下文件夹中:

~/.purple/certificates/x509/tls_peers

注意!确保文件名是服务器的DNS名称。

编辑:

猜猜谁刚刚注意到您使用Windows机器...〜/是Linux用户的主分区。根据此页面,等效窗口为%APPDATA%。


该证书已经存在,但是Pidgin仍然询问我是否每次都接受。那是在问题中,也在评论中。
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.