Certificate validation issue

[rosorio]

Hi,

I was running purple-teams since a couple of days on FreeBSD, and the first issue I found was related to certificates chain. At every startup and periodically pidgin complains that MS certificates can't be validated because the issuer certificates is missing.

In the past, pidgin uses to provide MS issuer certificate, but this is not the case any more.

I'm currently using a shell script to fetch the certificate chain and create individual certificate files, but this is just a hack.

It would be nice if we can retrieve those certificates from a trusted place and copy them in the /usr/local/purple/ca-certs/ directory during purple-team package just like other pidgin extensions does.

Attached bellow the shell script used to fetch the certificates, hope this can help others.

#! /bin/sh
TMPDIR=$(mktemp  -d )
mkdir ms_cert_out
rm ms_cert_out/*

echo "presence.teams.microsoft.com
apac.ng.msg.teams.microsoft.com
go.trouter.teams.microsoft.com
substrate.office.com
teams.microsoft.com
login.microsoftonline.com" | while read uri ; do
  echo "BEGIN $uri"
  openssl s_client -showcerts -connect ${uri}:443 </dev/null 2>/dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > ${TMPDIR}/${uri}.pem
  split -p "-----BEGIN CERTIFICATE-----" ${TMPDIR}/${uri}.pem ms_cert_out/${uri}-individual-
  for i in ms_cert_out/${uri}-individual-*; do
    mv ${i} ${i}.pem
  done
  echo "END  $uri"
done

if [ -d "$TMPDIR" ]; then
  rm -rf "$TMPDIR"
fi

[EionRobb]

Sounds like #60 which is caused by a change in libnss - see https://issues.imfreedom.org/issue/PIDGIN-17886/Certificate-verification-errors-with-NSS-3.103

[rosorio]

Libpurple patch provided in issue does the job, thanks for your help :)

[rosorio]

For the record, purple-teams is now part of the FreeBSD ports. From now FreeBSD users can install & user purple-teams by just typing pkg install purple-teams