gajim-0.15.2-r2 fails to connect to some servers. Maybe applying of one patch which fix Bug 442860 is not enough and some other patches should be applied too? I get this traceback on stderr: Traceback (most recent call last): File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/idlequeue.py", line 533, in _process_events return IdleQueue._process_events(self, fd, flags) File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/idlequeue.py", line 394, in _process_events obj.pollin() File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/transports_nb.py", line 414, in pollin self._do_receive() File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/transports_nb.py", line 600, in _do_receive self._on_receive(received) File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/transports_nb.py", line 614, in _on_receive self.on_receive(data) File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 318, in <lambda> self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data)) File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 353, in _xmpp_connect_machine self._xmpp_connect_machine(mode='STREAM_STARTED') File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 376, in _xmpp_connect_machine self._on_stream_start() File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 412, in _on_stream_start self._on_connect() File "/usr/lib64/python2.7/site-packages/gajim/common/xmpp/client_nb.py", line 449, in _on_connect self.on_connect(self, self.connected) File "/usr/lib64/python2.7/site-packages/gajim/common/connection.py", line 1285, in _connect_success return self.connection_accepted(con, con_type) File "/usr/lib64/python2.7/site-packages/gajim/common/connection.py", line 1329, in connection_accepted certificate=con.Connection.ssl_certificate[i])) TypeError: 'X509' object has no attribute '__getitem__' gajim-0.15.2 works fine Reproducible: Always
Please test version 0.15.2-r3.
no you are right.
could you please attach /usr/lib64/python2.7/site-packages/gajim/common/connection.py
Created attachment 339612 [details] connection.py
Could you please attach the output of emerge --info gajim
If I add corresponding CA certificate of a problematic server to ~/.local/share/gajim/secrets, then instead of a traceback I get a message box with this error: "It seems the SSL certificate of account xxxxxxxx.xx has changed or your connection is being hacked. Old fingerprint: 88:E3:E5:32:D9:59:8D:AD:6A:E2:A1:14:BA:A9:20:01:14:6D:C0:C2 New fingerprint: 2 Do you still want to connect and update the fingerprint of the certificate?" %)
Created attachment 339736 [details] emerge --info gajim
(In reply to comment #6) > If I add corresponding CA certificate of a problematic server to > ~/.local/share/gajim/secrets, then instead of a traceback I get a message > box with this error: > > "It seems the SSL certificate of account xxxxxxxx.xx has changed or your > connection is being hacked. > Old fingerprint: 88:E3:E5:32:D9:59:8D:AD:6A:E2:A1:14:BA:A9:20:01:14:6D:C0:C2 > New fingerprint: 2 > > Do you still want to connect and update the fingerprint of the certificate?" > > %) I also saw this. that's bad. Hopefully upstream will relesease soonish so that we can fix this. I will see what I can do.
>I will see what I can do. Atleast remove the code from patch that changes con.Connection.ssl_fingerprint_sha1 to con.Connection.ssl_fingerprint_sha1[-1] and con.Connection.ssl_cert_pem to con.Connection.ssl_cert_pem[-1] — these variables have type 'str', not 'list', so the patch (gajim-0.15.2-CVE-2012-5524.patch) is partially incorrect.
(In reply to comment #9) > 'list', so the patch (gajim-0.15.2-CVE-2012-5524.patch) is partially > incorrect. You are absolutely right. I add what upstream commited as fix for this issue, but it seems they added some more code changes which aren't related to this issue. I am testing the corrected patch and will commit it if everything is fie.
I corrected the patch to fix the fingerprint issue. Could you please try and see whether everything is working again?
+*gajim-0.15.2-r4 (23 Feb 2013) + + 23 Feb 2013; Justin Lecher <jlec@gentoo.org> -gajim-0.15.2-r2.ebuild, + gajim-0.15.2-r3.ebuild, +gajim-0.15.2-r4.ebuild, + files/gajim-0.15.2-CVE-2012-5524.patch: + Drop parts of upstream which should fix CVE-2012-5524 but added more code + which is incompatible with current implementation +
(In reply to comment #11) > I corrected the patch to fix the fingerprint issue. Could you please try and > see whether everything is working again? I can confirm that the new patch fixes the issue with SHA-1 fingerprint, thanks.
Alexander, is you problem also fixed?
(In reply to comment #14) > Alexander, is you problem also fixed? Problem with SHA-1 fingerprint is fixed. But there is another problem: gajim-0.15.2-r3 silently fails to connect to the server if CA certificate is unavailable. Vanilla gajim-0.15.2 in this case shows an error message and allow to ignore this error in the future: "There was an error verifying the SSL certificate of your jabber server: The authenticity of the xxxxxxx.xx certificate could be invalid. SSL Error: Unable to verify the first certificate Do you still want to connect to this server?"
could you please try 0.15.3 and see how that works?
0.15.3 works as expected.