Time to upgrade certificates, again

[bmomjian]

I run this script from cron every night, which helps prevent invalid certificate errors:

wget -q -O ~/.purple/certificates/x509/tls_peers/Google-download.pem https://pki.goog/roots.pem

wget -q -O - https://pki.goog/gsr1/gtsr1.crt | openssl x509 -inform der -out ~/.purple/certificates/x509/tls_peers/GlobalSign-download.pem

wget -q -O - https://pki.goog/gsr2/GTS1O1.crt | openssl x509 -inform der -out ~/.purple/certificates/x509/tls_peers/Google-1O1-download.pem

[bodqhrohro]

@bmomjian it doesn't help me.

@bq:20:38:41:/tmp/dl$ ls -l ~/.purple/certificates/x509/tls_peers/G*
-rwxrwxrwx 1 root root  1927 июн  8 15:46 /home/bodqhrohro/.purple/certificates/x509/tls_peers/GlobalSign-download.pem
-rwxrwxrwx 1 root root  1549 июн  8 15:46 /home/bodqhrohro/.purple/certificates/x509/tls_peers/Google-1O1-download.pem
-rwxrwxrwx 1 root root 72865 июн 16  2020 /home/bodqhrohro/.purple/certificates/x509/tls_peers/Google-download.pem

Still those annoying certificate windows that disappear quickly if I didn't confirm them in time, and lead to account disabling.

[bmomjian]

That's odd. Once I started using those wget commands nightly, my popup problems went away, though I did have a few last week which I think were problems on the Google end.

[Deledrius]

I tried updating those certificates, but it seems to have no effect for me. I'm still getting the constant disconnects and prompts to accept an unknown cert.

I've been having this intermittently for over a month now, and it's quite irritating combined with the way the plugin spams my local chat repeating old messages every time it reconnects (if it can reconnect without Google putting the account on a timeout). The interaction between these two bugs creates a mess in the chat log.

[EionRobb]

So the cert to get is the 1C3 cert instead of the 1O1 cert (from https://pki.goog/repo/certs/gts1c3.pem ) - on Windows, copy this to your Program Files\Pidgin\ca-certs folder

The reason this happens is that Google's servers will only send the full hierarchy tree of certificates including intermediate certs the very first time you connect to the server - it then expects the client (Pidgin) to cache all the intermediate certs for subsequent reconnects so that it can save bandwidth. Unfortunately, libpurple doesn't do this caching and expects the full tree to be sent all the time - the partial tree thing is a relatively new idea (compared to when libpurple's SSL implementation was written, but also back then you'd connect to one server and stay connected for a long time, rather than lots of little web requests) - and so you get the popup to say it can't verify the certificate.

Sorry to everyone for the annoying popups :(

[mjeveritt]

So the cert to get is the 1C3 cert instead of the 1O1 cert (from https://pki.goog/repo/certs/gts1c3.pem ) - on Windows, copy this to your Program Files\Pidgin\ca-certs folder

Utilising the same principle as @bmomjian above, what should the final wget line look like? I've simply swapped '1O1' with '1C3' but I'm getting an error from openssl - unable to load certificate 140562274391232:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101

Any ideas?! :smiley: TIA!

[bodqhrohro]

I executed wget -q -P ~/.purple/certificates/x509/tls_peers/ https://pki.goog/repo/certs/gts1c3.pem, restarted Pidgin and still have the popup.

[mjeveritt]

I executed wget -q -P ~/.purple/certificates/x509/tls_peers/ https://pki.goog/repo/certs/gts1c3.pem, restarted Pidgin and still have the popup.

Yeah - I don't think it's quite that simple ... :joy:

[zyphlar]

Wow thanks for this thread, Pidgin has been nearly unusable for me for months if not years because there's a new popup every few minutes (and my theory is that repeatedly failing to create an SSL session triggers Google IDS and bans your client/IP for awhile, generating unsolvable but temporary auth errors) and simply knowing what the issue might be gives me hope. If this issue can get pushed upstream and solved I'll be forever grateful.

Per @bmomjian 's example I also ran this, we'll see if it helps

wget -q -O ~/.purple/certificates/x509/tls_peers/Google-1C3-download.pem https://pki.goog/repo/certs/gts1c3.pem

(The goal of his commands is to download certs and save them in PEM format; the openssl lines just convert CRT files to PEM. Unsure if file naming matters.)

[zyphlar]

Yeah nah same clients6.google.com errors as always unfortunately, every couple minutes-to-hours.

[EionRobb]

I don't know if it makes it better or worse, but I'm fairly far along a replacement Google Chat plugin at https://github.com/EionRobb/purple-googlechat which uses different servers - I don't get the certificate popups at all (because of https://github.com/EionRobb/pidgin-win32-nss-cert-import which uses the windows certificates), but starting to get to a point where I'm keen for other people to try out the new plugin and let me know if the same certificate issues plague it

[bodqhrohro]

So they not just renamed the product and domains, but did some protocol improvements too? Why would it need so much changes, otherwise?

[bodqhrohro]

@EionRobb googlechat prpl runs into the same issue.

[zyphlar]

Update: I still am getting some cert errors with purple-googlechat. Maybe not quite as many but if I were you I'd hold off for a couple more commits before switching.

---

Swanky! Works so far, will report back if I get cert errors. Thanks so much for your hard work on this, I can't tell you how many bug reports I have open with other projects that see zero action for years.

FYI I've also been getting cert errors with the Facebook plugin lately so you're probably not alone in this.

[BoFiS]

Oh fun, THANK YOU for continued development and support as Google moves over to Chat from Hangouts! Sending of photos doesn't seem to work yet, but I assume you realize that.

Another thing I've noticed so far is that all my group conversations that did not specifically have names show up as just a jumble of letters now, rather than under the Purple Hangouts extension where it listed members of that chat instead.

[zyphlar]

FYI this has also lately been an issue with purple-facebook with possibly a similar root cause https://github.com/dequis/purple-facebook/issues/485 https://github.com/dequis/purple-facebook/issues/441

[JBHoren]

I downloaded-and-copied the PEM file you referenced in the google-hangouts post to /usr/local/share/purple/ca-certs, then invoked Pidgin. Eventually (1-2 hours) the popups began reappearing.