purple-facebook icon indicating copy to clipboard operation
purple-facebook copied to clipboard

Published 20 hours ago verified publisher icon dequis

popups for graph.facebook.com certificate

Open alexolog opened this issue 4 years ago • 10 comments

Getting them every couple of minutes. Accepting does not stop it.

alexolog avatar May 21 '20 16:05 alexolog

I have just started to get the same issue. When investigating the certificate it says that it can't verify the certificate issuer.

solbu avatar Nov 10 '20 02:11 solbu

keep showing me the popup many times any clue to fix it?

josx avatar Nov 11 '20 23:11 josx

This same behavior started on my Pidgin installation: graph.facebook.com, mqtt.facebook.com It happens at irregular intervals; sometimes several certificates at once, other times only one.

Platform: Raspberry Pi 4 (8GB) OS: Raspberry Pi OS Beta (aarch64) Pidgin: 2.14.5 (libpurple 2.14.5) [also 2.13.0] Purple Facebook: 0.9.6

JBHoren avatar Jun 18 '21 21:06 JBHoren

FYI this is also an issue with purple-hangouts and its up-and-coming replacement purple-googlechat it may have a similar root cause and this thread has some ideas as to what that is (the servers sending partial certificate chains?)

https://github.com/EionRobb/purple-hangouts/issues/236

zyphlar avatar Jul 09 '21 18:07 zyphlar

What's the suggested solution to this?

TheBense avatar Aug 26 '21 23:08 TheBense

AFAIK even with various fixes in EionRobb/purple-googlechat (maybe @EionRobb or @dequis can comment) the core requirement is that clients cache multiple certificates that they receive, because only some of the certificate / chain may be received at any given time from any given server, and the entire various parts of the chain are needed to validate them. This wasn't a problem when chat providers passed the entire chain like normal HTTPS servers, but apparently they're trying to save resources and no longer sending the entire chain consistently each time.

zyphlar avatar Sep 08 '21 22:09 zyphlar

What would be nice to have the option "always accept" in this pop-up, so we could not see it anymore for the same certificate.

ZaxonXP avatar Sep 22 '21 10:09 ZaxonXP

I manually populated the TLS cache for second level certificate:

Workaround:

cd ~/.purple/certificates/x509/tls_peers/
curl -O http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt > DigiCert%20SHA2%20High%20Assurance%20Server%20CA
rm -f DigiCertSHA2HighAssuranceServerCA.crt

http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt is listed as the second level cert in graph.facebook.com. You can check this by doing openssl x509 -text -noout -in graph.facebook.com DigiCert%20SHA2%20High%20Assurance%20Server%20CA is Subject "CN" from that certificate url encoded (this can be checked via openssl x509 -inform DER -text -noout -in DigiCertSHA2HighAssuranceServerCA.crt Finally the .crt comes down in DER (binary) format, and purple wants it in PEM (text) format.

utopiabound avatar Oct 19 '22 14:10 utopiabound

I manually populated the TLS cache for second level certificate:

Workaround:

cd ~/.purple/certificates/x509/tls_peers/
curl -O http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt > DigiCert%20SHA2%20High%20Assurance%20Server%20CA
rm -f DigiCertSHA2HighAssuranceServerCA.crt

I am doing exactly this, and it still cannot find the issuing CA

solbu avatar Oct 19 '22 16:10 solbu

I am doing exactly this, and it still cannot find the issuing CA

I even added it to the system wide trust anchor, as described in the link below, it still does not work. :-
https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/

solbu avatar Oct 19 '22 16:10 solbu