Fails to connect, "Invalid response"

[EionRobb]

Original report by Anonymous.

---

I run the hangouts plugin on a couple of my machines. One of them started to fail in the last week or so with "Invalid Response." I tried refreshing my OAUTH key, but that made no difference.

I checked the debug log, and see this:

#!c

(11:13:19) proxy: Connecting to www.googleapis.com:443.
(11:13:19) proxy: Connected to www.googleapis.com:443.
(11:13:19) nss: Handshake failed  (-12286)
(11:13:19) socket: invalid state: 3 (should be: 2)(11:13:19) http: Request 0x5600579cb9f0 performed without success.
(11:13:19) g_log: json_decode_object: assertion 'root' failed
(11:13:19) connection: Connection error on 0x560057f58ed0 (reason: 0 description: Invalid response)
(11:13:19) account: Disconnecting account USER@DOMAIN.com (0x560056e91c10)
(11:13:19) connection: Disconnecting connection 0x560057f58ed0
(11:13:19) GLib: g_source_remove: assertion 'tag > 0' failed
(11:13:19) GLib: g_source_remove: assertion 'tag > 0' failed
(11:13:19) connection: Destroying connection 0x560057f58ed0

My hunch is that it is related to an openssl / Google certificate issue. I've been having SSL problems on other machines related to Gmail. In particular: https://mta.openssl.org/pipermail/openssl-project/2018-April/000623.html. Google has been presenting self-signed certificates named "invalid2.invalid" or something when clients don't use SNI. I've run into that with claws-mail and the regular jabber pidgin accounts. I might be wrong on some of the details there.

Anyway, the handshake failure and knowing that some apps are having issues with SSL and Google might be connected. I poked around the codebase and saw a few Google pem files. Perhaps the library is seeing the self-signed cert, not being able to match it to any existing files, and flipping out?

[EionRobb]

Original comment by Austin Riba (Bitbucket: Fingel, GitHub: Fingel).

---

I can confirm this, I'm seeing the same behavior. After trying resetting the account password to "" and redoing the Oauth step, no success. It did seem to randomly work once in the last 2 days I've tried but failed again quickly with "Invalid response".

[EionRobb]

Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).

---

The important part from that debug log is: "nss: Handshake failed (-12286)" Which according to https://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html means

SSL_ERROR_NO_CYPHER_OVERLAP -12286  "Cannot communicate securely with peer: no common encryption algorithm(s)."

The local and remote systems share no cipher suites in common. This can be due to a misconfiguration at either end. It can be due to a server being misconfigured to use a non-RSA certificate with the RSA key exchange algorithm.

To resolve, you'll need to use the NSS Preferences plugin (in Tools->Plugins) to enable the right ciphers, which should be at least one of the green ones in the list from https://www.ssllabs.com/ssltest/analyze.html?d=www.googleapis.com

[EionRobb]

Original comment by Austin Riba (Bitbucket: Fingel, GitHub: Fingel).

---

Any ideas on how bitlbee users can fix this?

[EionRobb]

Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).

---

@Fingel what version of libpurple are you using? libpurple 2.13.0 has a fix to use the correct ciphers for NSS

[EionRobb]

Original comment by Austin Riba (Bitbucket: Fingel, GitHub: Fingel).

---

Looks like I'm stuck on 2.12 until a debian package for 2.13 is released (it's not even in backports at the moment). Thanks for clearing that up.

[EionRobb]

Original comment by Eion Robb (Bitbucket: EionRobb, GitHub: EionRobb).

---

Is https://packages.debian.org/sid/libpurple-bin not usable? Also, you could compile libpurple yourself