SSL Certificate Error (proxy related issue)

[jdavidchailloux]

Greetings, my name is Juan David Chailloux , I live in Havana, Cuba and I'm trying to use the purple-facebook plug-in to connect to my chat account in facebook but I'm getting an error in the ssl certificate error. I use Ubuntu desktop 14.04 and I'm behind a user-authenticated proxy server to access Internet who only allows traffic trough 80 and 443 ports. I put the debugging log file (<snipped>) in order to get a possible solution from you or at least an idea to fix it. Things break when it attempts to connect to graph.facebook.com:443. I can actually access https://graph.facebook.com through my firefox browser. Thanks in advance for your time and I look forward to get news from you.

[jgeboski]

Some more information from our email conversation:

I can actually access https://graph.facebook.com through my proxy with my firefox browser. I don't know if it's OK but the screen shows the following:

{
   "error": {
      "message": "Unsupported get request. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api",
      "type": "GraphMethodException",
      "code": 100,
      "fbtrace_id": "HsCo5q/Wo5A"
   }
}

[redhead]

I have the same problem. One time it shown SSL certificate error for the graph api url, now for mqtt.facebook.com. What should I do?

[redhead]

Nevermind. It seems I fixed it by removing the graph.facebook.com file from the user's app data certificates.

[jgeboski]

What type of proxy are you using? In the second image of Firefox above, if you click on the "General" tab, what is the SHA-256 fingerprint?

[pochy-ja]

I have the same issue with the same condition of conection, in pidgin this is the error.

I use a proxy http with authentication NTLM and in the server is squid proxy, if you need other information just tell us.

My version of pidgin is Pidgin 2.10.9 (libpurple 2.10.9), this is the version of the package in the repository for ubuntu 14.04.

Related with your question about the cert in the browser, this is I can find in my Firefox browser

[pochy-ja]

BTW, I intend to fix this with the comment 4 and the error still happens.

[jgeboski]

@pochy-ja would you mind attaching your ~/.purple/certificates/x509/tls_peers/graph.facebook.com to this issue?

[pochy-ja]

in directory tls_peers the file graph.facebook.com do not exists, only b-api.facebook.com, is the same?

[dequis]

Do you also use the squid proxy in firefox?

@redhead's issue was unrelated, but @pochy-ja and @jdavidchailloux seem to be the exact same thing. In fact I suspect you two are using the same proxy server.

Connections to b-api succeeded in both cases, connections to graph failed in both cases. Dunno.

[pochy-ja]

Yes, all my connection is through proxy, when i access in firefox to graph.facebook.com, this show the same information of @jgeboski in the first image of comment 2. BTW, I test this with my laptop in two diferent places but through proxy and the error still happens.

[jgeboski]

I just tested this via Squid (without NTLM, but that should not matter), and it works for me. I use a pretty default Squid setup, so maybe that is it as well. Something is clearly up with the proxy, at least as far as I can tell.

Waiting on a debug log from #190 to see if there are any similarities.

[pochy-ja]

I`m back, I debug my connection, check the information there, maybe could be useful, BTW I replaced my password and the number sent by SMS for security reason.

The log <_snipped_>

[EionRobb]

So the graph.facebook.com cert says it's signed by "DigiCert SHA2 High Assurance Server CA" but you don't have that CA on your system. The b-api.facebook.com cert, the first time, has that CA appended as an intermediary but not the second time (but by that time it's ok, because the certificate is cached).

A workaround would be to save the cert for graph.facebook.com from your browser and manually add it via Tools->Certificates in Pidgin

[pochy-ja]

@EionRobb I intend to fix this with your comment and the error still happens.

[josedanielr]

I have this same problem, but in my case it is due to my proxy server uses digest authentication which is not supported by pidgin (or purple-facebook?). Could you offer a comment about this, please?

[dequis]

In this other ticket i posted an alternate method to connect to facebook using the IRC protocol and a bitlbee public server instead of this plugin: https://github.com/jgeboski/purple-facebook/issues/204#issuecomment-181144652

I have my doubts that it will work for this issue since there's some fishy stuff going on with these proxies, but maybe it's stuff targeting facebook specifically. Just be sure to check that, if pidgin provides the option to accept or reject the certificate, the fingerprint that appears when you click "view certificate" matches the one in that comment.

@josedanielr I'm pretty sure you're out of luck with that one. Submit a ticket in pidgin's tracker.

[jorgehuerta]

@pochy-ja I found my certificate under ~/.purple/certificates/x509/tls_peers/b-api.facebook.com contained ^M at the end of each line of the certificate. I removed them and it now works, even behind a vpn. Hope that is of use to you.

[pochy-ja]

@jorgehuerta I checked this but this is not my case.

[jdavidchailloux]

Hi, excuse my question but, how can I edit the certificate file and test the solution of jorgehuerta, it is encrypted.

[dequis]

Could I have some more details on the proxies you're using? I think everyone is using some weird kind of auth. So far the most concrete issue is the UCLV one which uses digest auth, the CUJAE one is a mystery and no idea what proxy is @pochy-ja using other than the fact that it's NTLM.

You could do something like this from a terminal, replacing the address and the port, but without providing username and password - i'd like to see the Proxy-Authentication error, if any.

curl -v proxy.example.com:3128

Please post the output of that. You might have to unset http_proxy before, to actually get an auth error.

For those who have NTLM you could try cntlm - if that works then this might be a pidgin issue.

If it's not NTLM you could set up a local squid proxy with this config and tell pidgin to use 127.0.0.1:3128 as proxy instead of the remote one.

(I suspect, but i'm not sure, that the whole issue may not be SSL related in some cases.)

[pochy-ja]

For those who have NTLM you could try cntlm - if that works then this might be a pidgin issue.

I think the problem is related with a pidgin issue because when I updated to the version 2.10.12 of pidgin and updated the plugin to the last version and it works perfect. I do not if the others cases here could be resolved with the update.

[dequis]

@pochy-ja neat! Glad to hear that. So that could also help with @jdavidchailloux's issue, if that proxy is similar enough.

Also pinging @dann1 (from #190), see my previous comment

[josedanielr]

I'm using UCLV's proxy as this is my place of work, which indeed uses digest auth. I I have not been able to try the last Pidgin version yet, to see if it the problem persists. If it's resolved I will publish an update.

This is a response header excerpt of my proxy if it helps for something.

HTTP/1.1 407 Proxy Authentication Required Server: squid/3.4.6 Mime-Version: 1.0 Date: Tue, 09 Aug 2016 23:23:49 GMT Content-Type: text/html Content-Length: 3077 Vary: Accept-Language Content-Language: es_UCLV Proxy-Authenticate: Digest realm="Proxy_UCLV", nonce="xUypVwAAAADA0uQSAAAAADcxx2sAAAAA", qop="auth", stale=false Connection: keep-alive