search

EionRobb / pidgin-opensteamworks

Steam plugin for Pidgin/libpurple
153 stars 5 forks source link

Certificate problem #154

Closed hasufell closed 8 years ago

hasufell commented 8 years ago

I'm constantly getting this error and not just once. It makes the plugin unusable, because it pops up every now and then.

Unable to validate certificate

The certificate for steamcdn-a.akamaihd.net could not be validated.
The certificate chain presented is invalid.
xvitaly commented 8 years ago

It makes the plugin unusable, because it pops up every now and then.

Update your ca-certificates package.

hasufell commented 8 years ago

I already have 20160104, which is the latest afais. https://packages.debian.org/search?keywords=ca-certificates&searchon=names&suite=all&section=all

xvitaly commented 8 years ago

I already have 20160104, which is the latest afais

Open terminal and execute:

curl -v https://steamcdn-a.akamaihd.net/

Paste output here.

hasufell commented 8 years ago 
$ curl -v https://steamcdn-a.akamaihd.net
* Rebuilt URL to: https://steamcdn-a.akamaihd.net/
*   Trying 109.193.192.195...
* TCP_NODELAY set
* Connected to steamcdn-a.akamaihd.net (109.193.192.195) port 443 (#0)
* mbedTLS: Connecting to steamcdn-a.akamaihd.net:443
* mbedTLS: Set min SSL version to TLS 1.0
* mbedTLS: Handshake complete, cipher is TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
* Dumping cert info:
* cert. version     : 3
* serial number     : 75:7E:CF:02:2F:6E:F7:EF:3D:81:B4:C1:AE:C6:D6:46:28:EE:81:1D
* issuer name       : C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA2
* subject name      : C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net
* issued  on        : 2016-05-26 16:05:13
* expires on        : 2017-05-26 16:05:12
* signed using      : RSA with SHA-256
* RSA key size      : 2048 bits
* basic constraints : CA=false
* subject alt name  : a248.e.akamai.net, *.akamaized.net, *.akamaihd-staging.net, *.akamaihd.net, *.akamaized-staging.net
* key usage         : Digital Signature, Key Encipherment
* ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

* SSL connected
> GET / HTTP/1.1
> Host: steamcdn-a.akamaihd.net
> User-Agent: curl/7.50.3
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.8.0
< Content-Type: text/html
< Content-Length: 45
< Last-Modified: Wed, 22 Jul 2009 23:34:30 GMT
< ETag: "4a67a206-2d"
< Accept-Ranges: bytes
< Date: Sat, 24 Sep 2016 17:28:19 GMT
< Connection: keep-alive
< 
<html>
<head>
</head>
<body>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host steamcdn-a.akamaihd.net left intact
hasufell commented 8 years ago

With libressl this looks different:

$ curl -v https://steamcdn-a.akamaihd.net
* Rebuilt URL to: https://steamcdn-a.akamaihd.net/
*   Trying 109.193.192.139...
* TCP_NODELAY set
* Connected to steamcdn-a.akamaihd.net (109.193.192.139) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
xvitaly commented 8 years ago

With libressl this looks different:

It cannot find ca-certificates bundle.

hasufell commented 8 years ago

It cannot find ca-certificates bundle.

It doesn't have to.

xvitaly commented 8 years ago

It doesn't have to.

Curl and Pidgin needs CA bundle for verification of received certificates.

hasufell commented 8 years ago

Curl and Pidgin needs CA bundle for verification of received certificates.

You're not understanding how openssl works. It doesn't need a CAfile (what you call CA bundle), it can also use CApath, which is set.

You might also want to read https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

hasufell commented 8 years ago

It turns out pidgin was built against gnutls, which is broken shit. After building it against nss, the problem is gone. So not really a problem of this plugin.