How can I make Pidgin always accept an expired certificate?

Question

My work uses a local XMPP server (Wildfire, now called Openfire). When using the Pidgin client, it always asks me if it should accept the invalid (expired) certificate.

I would like to get Pidgin to always accept it without asking me. How can I do this without installing a new certificate on the XMPP server?

I attempted to import the certificate into both my Personal store and the Trusted Root store, but I still get the same prompt. The certificate is also stored in %APPDATA%\.purple\certificates\x509\tls_peers, but I still get the prompt.

Here's the debug log upon connecting:

Pidgin Debug Log : 10/4/2016 12:05:16 PM
(12:05:05) account: Connecting to account [email protected]/.
(12:05:05) connection: Connecting. gc = 04528D78
(12:05:05) dnssrv: querying SRV record for 192.168.1.21: _xmpp-client._tcp.192.168.1.21
(12:05:05) dnssrv: Couldn't look up SRV record. The filename, directory name, or volume label syntax is incorrect. (123).
(12:05:05) dnsquery: Performing DNS lookup for 192.168.1.21
(12:05:05) dnsquery: IP resolved for 192.168.1.21
(12:05:05) proxy: Attempting connection to 192.168.1.21
(12:05:05) proxy: Connecting to 192.168.1.21:5222 with no proxy
(12:05:05) proxy: Connection in progress
(12:05:05) proxy: Connecting to 192.168.1.21:5222.
(12:05:05) proxy: Connected to 192.168.1.21:5222.
(12:05:05) jabber: Sending ([email protected]): <?xml version='1.0' ?>
(12:05:05) jabber: Sending ([email protected]): <stream:stream to='192.168.1.21' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(12:05:05) jabber: Recv (579): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="192.168.1.21" id="da08260e" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
(12:05:05) jabber: Sending ([email protected]): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(12:05:05) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(12:05:05) nss: SSL version 3.1 using 128-bit AES with 160-bit SHA1 MAC
Server Auth: 2048-bit RSA, Key Exchange: 1024-bit DHE, Compression: NULL
Cipher Suite Name: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(12:05:05) nss: subject=CN=Unknown,OU=Unknown,O=REDACTED,L=REDACTED,ST=REDACTED,C=US issuer=CN=Unknown,OU=Unknown,O=REDACTED,L=REDACTED,ST=REDACTED,C=US
(12:05:05) certificate/x509/tls_cached: Starting verify for 192.168.1.21
(12:05:05) certificate/x509/tls_cached: Certificate 192.168.1.21 expired at Mon Aug 29 09:54:35 2016

(12:05:05) certificate/x509/tls_cached: Checking for cached cert...
(12:05:05) certificate/x509/tls_cached: ...Found cached cert
(12:05:05) nss/x509: Loading certificate from C:\Users\example\AppData\Roaming\.purple\certificates\x509\tls_peers\192.168.1.21
(12:05:05) certificate/x509/tls_cached: Peer cert matched cached
(12:05:07) util: Writing file accounts.xml to directory C:\Users\example\AppData\Roaming\.purple
(12:05:07) util: Writing file C:\Users\example\AppData\Roaming\.purple\accounts.xml
(12:05:07) util: Writing file blist.xml to directory C:\Users\example\AppData\Roaming\.purple
(12:05:07) util: Writing file C:\Users\example\AppData\Roaming\.purple\blist.xml
(12:05:07) certificate/x509/tls_cached: User ACCEPTED cert
Caching first in chain for future use as 192.168.1.21...
(12:05:07) nss/x509: Exporting certificate to C:\Users\example\AppData\Roaming\.purple\certificates\x509\tls_peers\192.168.1.21
(12:05:07) util: Writing file C:\Users\example\AppData\Roaming\.purple\certificates\x509\tls_peers\192.168.1.21
(12:05:07) nss: Trusting CN=Unknown,OU=Unknown,O=REDACTED,L=REDACTED,ST=REDACTED,C=US
(12:05:07) certificate: Successfully verified certificate for 192.168.1.21

Answer 1

Unfortunately it is not possible to permanently accept expired certificate (at least not in Pidgin 2.11.0 which is latest version at the moment).

There are many reports about this issue in official Pigdin issue tracking system. The usual answer is that server's certificate has to be fixed.

One can also confirm it in Pidgin sources:
Certificate verification begins in x509_tls_cached_start_verify. For expired certificate there is flag PURPLE_CERTIFICATE_EXPIRED set.
If certificate was found in cache x509_tls_cached_cert_in_cache is called. It verifies that actual certificate fingerprint matches one in cache and calls x509_tls_cached_complete.
This function does one of following:

• notify user that certificate is invalid (if there was some fatal certificate issue)
• lets user decide whether to accept/reject certificate (if there was non-fatal issue; this is the case with expired certificate)
• continues without any prompt if there was no issue with the certificate

There is no way to skip warning about expired certificate (other than fixing certificate itself).

Answer 2

What @ge0rdi said is right but you could try downloading the SSL certificate by hand. Doing this would make pidgin start without it asking for permission :)

Use the following command:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER 

If that fails append the command with -starttls xmpp as follows:

~/.purple/certificates/x509/tls_peers$ openssl s_client -connect YOUR_SERVER:PORTNUMBER -starttls xmpp

Place the file in the following folder:

~/.purple/certificates/x509/tls_peers

Note! Make sure the filename is the DNS name of the server.

EDIT:

Guess who just noticed you use a Windows machine... ~/ is a Linux user's home partition. According to this page the windows equivelant is %APPDATA%.