Mageia forum

After installing Mageia 7 and copying my Pidgin config from Mageia 5, I can no longer connect to the kode.im server (xmpp, otr, connection encyption, port 5222). I have tried everything for hours and give up. Here is my log:

Code: Select all

09:27:29) gnutls: Attempting to load X.509 certificate from /home/XXXX/.purple/certificates/x509/tls_peers/kode.im
(09:27:29) certificate/x509/tls_cached: Peer cert matched cached
(09:27:29) util: Writing file /home/XXXX/.purple/certificates/x509/tls_peers/kode.im
(09:27:29) certificate: Successfully verified certificate for kode.im
(09:27:29) jabber: Sending (ssl) (XXXX@kode.im): <stream:stream to='kode.im' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(09:27:29) jabber: Recv (ssl)(416): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xml:lang='en' version='1.0' id='1d17837d-8751-4062-8507-9ed646893fa3' from='kode.im' xmlns:stream='http://etherx.jabber.org/streams'><stream:error><policy-violation xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>TLS cipher &apos;TLS_AES_256_GCM_SHA384&apos; not acceptable</text></stream:error></stream:stream>
(09:27:29) connection: Connection error on 0x32bcb30 (reason: 0 description: Policy Violation)
(09:27:29) account: Disconnecting account XXXX@kode.im/ (0x26f46d0)

There is some type of Policy Violation that involves ssl tls with TLS_AES_256_GCM_SHA384. Does anyone have some ideas what I can do? I think this is an issue outside of Pidgin. Thanks

maxtog wrote:Does anyone have some ideas what I can do? I think this is an issue outside of Pidgin. Thanks

Well yes and no, the error is from libpurple, the underlying library for pidgin.
I'd try renaming or moving away the mentioned certificate /home/XXXX/.purple/certificates/x509/tls_peers/kode.im and then try again.

You can also try to manually check and grab the certificate, see the hints here on how to do that: https://askubuntu.com/a/623972/329633

Thanks for the ideas, but that didn't seem to help. I even started with a fresh $HOME/.purple and re-added my account. The only certificate I then have is $HOME/.purple/certificates/x509/tls_peers/kode.im which it just created. Not getting any type of certificate errors. But when I try to connect, I still get a "policy violation" in the log. I can't believe my endless searching on the web can't find anyone else with this problem!

Someone suggested I try enabling the "nss preferences" plugin in Pidgin and disabling "TLS_AES_256_GCM_SHA384". No change. Also a suggestion it might be using gnutls instead of nss. I removed the gnutls package completely just to see if anything changed. Nope. I then created a brand new user, just to make sure it has nothing to do with me or anything copied from $HOME on my previous install. Nope, same thing.... "Policy violation".

I have a solution, FINALLY.

It seems that server is misconfigured somehow. It is advertising TLS_AES_256_GCM_SHA384 but then barfs on connection when gnutls selects it. I couldn't find a way to tell gnutls (or Pidgin) to not use it. So I did something radical:

Code: Select all

# mv /usr/lib64/purple-2/ssl-gnutls.so  /usr/lib64/purple-2/ssl-gnutls.so.hold

Since pidgin uses both gnutls and nss, this forces pidgin to use nss. For some reason, nss doesn't try that cypher, it uses TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 instead, and that is successful. This is not a pretty work-around, but it does work. For now, that is all that matters. I will report it to the server admin to see if they can fix their configuration.

Now that I know what is happening, it is unlikely anyone else will have this issue, and it also explains why my endless searching turned up nothing. The ONLY reason I was able to figure this out was from a very nice person on a Pidgin channel in IRC

Thanks for sharing your findings, appreciated