purple-facebook
purple-facebook copied to clipboard
popups for graph.facebook.com certificate
Getting them every couple of minutes. Accepting does not stop it.
I have just started to get the same issue. When investigating the certificate it says that it can't verify the certificate issuer.
keep showing me the popup many times any clue to fix it?
This same behavior started on my Pidgin installation: graph.facebook.com, mqtt.facebook.com It happens at irregular intervals; sometimes several certificates at once, other times only one.
Platform: Raspberry Pi 4 (8GB) OS: Raspberry Pi OS Beta (aarch64) Pidgin: 2.14.5 (libpurple 2.14.5) [also 2.13.0] Purple Facebook: 0.9.6
FYI this is also an issue with purple-hangouts
and its up-and-coming replacement purple-googlechat
it may have a similar root cause and this thread has some ideas as to what that is (the servers sending partial certificate chains?)
https://github.com/EionRobb/purple-hangouts/issues/236
What's the suggested solution to this?
AFAIK even with various fixes in EionRobb/purple-googlechat (maybe @EionRobb or @dequis can comment) the core requirement is that clients cache multiple certificates that they receive, because only some of the certificate / chain may be received at any given time from any given server, and the entire various parts of the chain are needed to validate them. This wasn't a problem when chat providers passed the entire chain like normal HTTPS servers, but apparently they're trying to save resources and no longer sending the entire chain consistently each time.
What would be nice to have the option "always accept" in this pop-up, so we could not see it anymore for the same certificate.
I manually populated the TLS cache for second level certificate:
Workaround:
cd ~/.purple/certificates/x509/tls_peers/
curl -O http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt > DigiCert%20SHA2%20High%20Assurance%20Server%20CA
rm -f DigiCertSHA2HighAssuranceServerCA.crt
http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
is listed as the second level cert in graph.facebook.com
.
You can check this by doing openssl x509 -text -noout -in graph.facebook.com
DigiCert%20SHA2%20High%20Assurance%20Server%20CA
is Subject "CN" from that certificate url encoded (this can be checked via openssl x509 -inform DER -text -noout -in DigiCertSHA2HighAssuranceServerCA.crt
Finally the .crt comes down in DER (binary) format, and purple wants it in PEM (text) format.
I manually populated the TLS cache for second level certificate:
Workaround:
cd ~/.purple/certificates/x509/tls_peers/ curl -O http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt > DigiCert%20SHA2%20High%20Assurance%20Server%20CA rm -f DigiCertSHA2HighAssuranceServerCA.crt
I am doing exactly this, and it still cannot find the issuing CA
I am doing exactly this, and it still cannot find the issuing CA
I even added it to the system wide trust anchor, as described in the link below, it still does not work. :-
https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/