gajim issueshttps://dev.gajim.org/gajim/gajim/-/issues2020-04-04T20:32:35Zhttps://dev.gajim.org/gajim/gajim/-/issues/8597Send subscription request to gateway (outside normal registration flow)2020-04-04T20:32:35ZsingpolymaSend subscription request to gateway (outside normal registration flow)When my gateway (cheogram.com) sends a `<presence type="subscribe" />` to Gajim, it gets back a `<presence type="subscribed"/>`. But Gajim never sends (nor asks the user about sending) a `<presence type="subscribe" />` to the gateway.
...When my gateway (cheogram.com) sends a `<presence type="subscribe" />` to Gajim, it gets back a `<presence type="subscribed"/>`. But Gajim never sends (nor asks the user about sending) a `<presence type="subscribe" />` to the gateway.
This is an unsolicited (from PoV of Gajim) subscription that is caused by a web interface. Removing roster item and re-adding it causes subscription to work as expected. Would be fine to ask user "do you want to subscribe?" as Gajim would do with any other subscription request. In fact, currently Gajim auto-approves the subscription request, which is also a potential privacy leak (anyone could claim to be a gateway and get user presence that way). Non-registration-flow presence subscriptions from JIDs claiming to be a gateway *should* be handled in the same way (and by the same code) as from any other JID.1.2.0https://dev.gajim.org/gajim/gajim/-/issues/8592Inform user about not being able to connect to a server due to missing tls/ss...2019-04-24T21:01:27ZVincent FlysonInform user about not being able to connect to a server due to missing tls/ssl authentication methodBy default gajim is forbidden to connect to plain (non-tls/ssl) servers.
It took me some time to figure out why I couldn't connect to my server.
Related issue: https://dev.gajim.org/gajim/gajim/issues/8559
Found the issue by runni...By default gajim is forbidden to connect to plain (non-tls/ssl) servers.
It took me some time to figure out why I couldn't connect to my server.
Related issue: https://dev.gajim.org/gajim/gajim/issues/8559
Found the issue by running gajim via `python -OOt gajim.py --verbose`:
```
...
03/30/2017 21:06:08 (I) nbxmpp.client_nb While connecting with type = "tls": TLS unsupported by remote server
03/30/2017 21:06:08 (I) gajim.c.connection Connecting to next type beacuse desired is tls and returned is plain
03/30/2017 21:06:08 (D) gajim.c.connection Connection to next host
03/30/2017 21:06:08 (D) gajim.c.connection Out of hosts, giving up connecting to XMPP-server-bot
...
```
I believe that having a more detailed UI error message rather than "Unable to connect to server ..." is very important in this case, since non-encrypted connections mostly exist on self-hosted servers used for various bots and setting them up can be a pain in the neck when the client's not reporting why exactly the connection has not been established.https://dev.gajim.org/gajim/gajim/-/issues/8538Gajim with Tor leaks DNS requests2022-05-12T21:23:09Zt2dGajim with Tor leaks DNS requestsThis issues it related to #7023
I saw at [privacy handbook](https://www.privacy-handbuch.de/handbuch_63-gajim_tor.htm) that Gajim is not resolving DNS over TOR. Or check at [Tor wiki](https://trac.torproject.org/projects/tor/wiki/doc/To...This issues it related to #7023
I saw at [privacy handbook](https://www.privacy-handbuch.de/handbuch_63-gajim_tor.htm) that Gajim is not resolving DNS over TOR. Or check at [Tor wiki](https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging).
To check, I enabled the Tor Proxy in my account settings, started my client and looked for DNS requests with Wireshark. I could verify their claims.
I think, this is not the expected behavior. If you use Tor, you don't want anyone to know, which hosts you connect to. At least the domain names related to a "torified" account should be resolved over Tor. Another strategy would be to proxy everything over Tor as soon as one account enabled Tor.1.4.0https://dev.gajim.org/gajim/gajim/-/issues/8046Replace button View cert... by expand/collapse2019-04-14T11:16:40ZDarlanReplace button View cert... by expand/collapse# phenomenon
Redundant dialogs and incomplete button strings, and arbitrary shorted text buttons to get a prettier UI (i.e. `View cert...`).
# implementation recommendation
Replace button View cert... by expand/collapse widget (I do not...# phenomenon
Redundant dialogs and incomplete button strings, and arbitrary shorted text buttons to get a prettier UI (i.e. `View cert...`).
# implementation recommendation
Replace button View cert... by expand/collapse widget (I do not know what it is called), similarly to [attachment:ticket:7723:pouet.gif error dialog].
Rename `View cert...` to *View Certificate* or *Display Certificate* or *Details*.
Rename `OK` to *Accept Certificate* or *Accept* (trust certificate).
Add new button *Connect* (accept for this session).
Keep *Cancel* unaltered.
[Cancel] [Connect] [Accept]
▹ Display Certificate
From: ticket:7470#comment:3Daniel BrötzmannDaniel Brötzmannhttps://dev.gajim.org/gajim/gajim/-/issues/7805ACE value "file_transfer_proxies" doesn't seem to work properly2018-07-02T17:29:01ZanonymousACE value "file_transfer_proxies" doesn't seem to work properly# Bug description
Proxying file transfer isn't working.
XML log: https://conference.gajim.org:5281/pastebin/d7182305-1458-4ed7-9db2-e43581653915
# Steps to reproduce
Use Gajim via Tor and try to send a file through a proxy server.
# ...# Bug description
Proxying file transfer isn't working.
XML log: https://conference.gajim.org:5281/pastebin/d7182305-1458-4ed7-9db2-e43581653915
# Steps to reproduce
Use Gajim via Tor and try to send a file through a proxy server.
# Software versions
OS version: Fedora / Gajim 0.15.3
GTK version: n/a
PyGTK version: n/aPatches Welcomehttps://dev.gajim.org/gajim/gajim/-/issues/7795Gajim saves password as plain text without additional warning2020-03-23T23:54:39ZszpakGajim saves password as plain text without additional warning# problem
On Linux with Gnome user could expect that password for an account will be kept using a keyring. I was surprise when I found my password stored as plain text in Gajim's configuration.
This feature were not active, but I wasn't ...# problem
On Linux with Gnome user could expect that password for an account will be kept using a keyring. I was surprise when I found my password stored as plain text in Gajim's configuration.
This feature were not active, but I wasn't aware of it.
# analysis
Looking at code when required libraries are not available (or given system just doesn't support it) Gajim silently fallback to save password as plain text.
# enhancement recommendation
Gajim should display additional warning when user decides to keep password and there is method available which would allow to save it in the "safe" way. There could be also some info how to configure it.
1.2.0https://dev.gajim.org/gajim/gajim/-/issues/7675New "autoimprove_security" option.2018-06-28T18:41:25Zfedor.brunnerNew "autoimprove_security" option.# problem
Most users don't touch advanced options and because Gajim has to support older servers, the default settings in Gajim are TLS 1.0 support, weaker RC4 (because of Google Talk servers [#7](https://python-nbxmpp.gajim.org/ticket/...# problem
Most users don't touch advanced options and because Gajim has to support older servers, the default settings in Gajim are TLS 1.0 support, weaker RC4 (because of Google Talk servers [#7](https://python-nbxmpp.gajim.org/ticket/7)) and 3DES ciphers are supported, authentication mechanisms PLAIN, DIGEST-MD5 are enabled.
# enhancement recommendation
When the "autoimprove_security" option is enabled, Gajim will detect current security settings of XMPP server during login (supported TLS version (1.2), current cipher (AES) and authentification mechanism (SCRAM-SHA-1)). After a successful login, Gajim will disable older TLS versions (1.0, 1.1), disable weak ciphers (3DES, RC4) and disable weaker authentication mechanisms (PLAIN, DIGEST-MD5) for the connected server.
I think that this is a good behavior because absolutely most cases XMPP
server operators don't downgrade to a software with weaker security. So
security features of XMPP servers only improves over time.
This option will enable in combination with XMPP server supporting [SCRAM-SHA-1-PLUS](https://python-nbxmpp.gajim.org/ticket/16) that users will be protected from active MiTM attacker with valid SSL certificates. This protection work without any changes in setting by user. It's only required that the user will choose a good password.
Next idea is to have a database (or just a plain text table) of security
features of known XMPP public servers. (http://xmpp.net)
This table will contain:
- The highest supported TLS version
- Information if ciphers stronger than RC4, 3DES are supported.
- The strongest supported authentification mechanism (and supported by Gajim)
When user creates a new account in Gajim with one of the these servers the security settings for this account will be copied from the database.
https://dev.gajim.org/gajim/gajim/-/issues/7571Don't load XHTML images automatically2020-07-29T18:38:19ZDarlanDon't load XHTML images automatically# phenomenon
Unwilling disclosure of user IP address.
# background analysis
Send HTML message with image file, using XML Console, to user or MUC.
\<message xmlns="jabber:client" to="test@conference.gajim.org" type="groupchat" ...# phenomenon
Unwilling disclosure of user IP address.
# background analysis
Send HTML message with image file, using XML Console, to user or MUC.
\<message xmlns="jabber:client" to="test@conference.gajim.org" type="groupchat" id="fake lmc">
\<body>
https://gajim.org/imgs/logo_small.png
\</body>
\<html xmlns='http://jabber.org/protocol/xhtml-im'>
\<body xmlns='http://www.w3.org/1999/xhtml'>
\<img src='https://gajim.org/imgs/logo_small.png'
alt='logo_small.png'
title='logo_small.png'
height='100'
width='140'/>
\</body>
\</html>
\</message>
# implementation recommendation
~~*Gajim = 0.16* Do not load images from internet.~~
*Gajim > 0.16* Add an Info-bar that would ask user whether to load image within message or replace image with a placeholder that prompt user to this issue.
*Gajim > 0.16* Add support for [XEP:0231 XEP-0231: Bits of Binary]?
See [GajimChat:2013:08:08:19:58:31 Chatroom logs for gajim@conference.gajim.org (Thursday, August 08, 2013)].1.2.2https://dev.gajim.org/gajim/gajim/-/issues/7253Gajim complains about a SSL/TLS certificate when connecting to a custom hostname2018-09-02T11:19:36ZmuelliGajim complains about a SSL/TLS certificate when connecting to a custom hostnameI have a Jabber account (foo@example.com) and a domain that hosts the actual jabber server (jabberdomain.com). So I set up my example.com account and put the actual server in "Use custom hostname/port".
Gajim complains:
"Error verifying...I have a Jabber account (foo@example.com) and a domain that hosts the actual jabber server (jabberdomain.com). So I set up my example.com account and put the actual server in "Use custom hostname/port".
Gajim complains:
"Error verifying SSL certificate
There was an error verifying the SSL certificate of your jabber server: The authenticity of the example.com certificate could be invalid.
The certificate does not cover this domain.
Do you still want to connect to this server?"
The hosting server does have it's own certificate which I get shown when I click the "View cert" button.
So I guess that Gajim doesn't take into account that I indeed wanted to connect to the hosting domain and that the received certificate is expected and fine.
I would have expected to be able to connect without such a dialogue.https://dev.gajim.org/gajim/gajim/-/issues/6096Connection info, crypto etc2019-09-29T19:56:36ZZashConnection info, crypto etc# Problem
Gajim currently doesn't offer a way to show more information about the connection.
# Analysis
Some users may want to know the specifics about the connection, such as ciphers used etc.
# Enhancement recommendation
Implement some...# Problem
Gajim currently doesn't offer a way to show more information about the connection.
# Analysis
Some users may want to know the specifics about the connection, such as ciphers used etc.
# Enhancement recommendation
Implement something similar to how web browsers show connection info, with details about certificates, ciphers, etc. Could be a popup from the lock (it's a pair of keys in my theme) icon.1.2.0https://dev.gajim.org/gajim/gajim/-/issues/8771Connection fails if trying to connect using TOR2019-11-16T14:51:39ZMartinConnection fails if trying to connect using TOR## Versions
- OS: Debian 9 Stretch
- Gajim version: gajim-default-nightly/unstable,unstable,unstable,now 20171023-1 (in info it says 0.16.11.1)
- GTK version: 3.22.11
- Python-nbxmpp version: 0.6.0
## Steps to reproduce the pr...## Versions
- OS: Debian 9 Stretch
- Gajim version: gajim-default-nightly/unstable,unstable,unstable,now 20171023-1 (in info it says 0.16.11.1)
- GTK version: 3.22.11
- Python-nbxmpp version: 0.6.0
## Steps to reproduce the problem
Set up your account to connect via Proxy (SOCKS5, localhost, 9050)
## Expected behavior
Gajim starts and is connecting using TOR
## Actual behavior
Gajim fails to connect (changing localhost to 127.0.0.1 doesn't make any difference)
```
26.10.2017 19:34:41 (I) nbxmpp.proxy_connectors: Authentification successfull. Jabber server contacted.
26.10.2017 19:34:41 (I) nbxmpp.transports_nb: Plugging fd 18, W:True, R:True
26.10.2017 19:34:41 (I) nbxmpp.transports_nb: pollout called, state == PROXY_CONNECTING
26.10.2017 19:34:41 (I) nbxmpp.transports_nb: Plugging fd 18, W:False, R:True
26.10.2017 19:34:41 (E) nbxmpp.transports_nb: _do_send:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nbxmpp/transports_nb.py", line 584, in _do_send
sent_data = decode_py2(sent_data, 'utf-8')
File "/usr/lib/python3/dist-packages/nbxmpp/transports_nb.py", line 91, in decode_py2
string = string.decode(encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8f in position 5: invalid start byte
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nbxmpp/transports_nb.py", line 588, in _do_send
if ord(char) & 0xc0 == 0xc0:
TypeError: ord() expected string of length 1, but int found
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nbxmpp/transports_nb.py", line 584, in _do_send
sent_data = decode_py2(sent_data, 'utf-8')
File "/usr/lib/python3/dist-packages/nbxmpp/transports_nb.py", line 91, in decode_py2
string = string.decode(encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8f in position 5: invalid start byte
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nbxmpp/transports_nb.py", line 588, in _do_send
if ord(char) & 0xc0 == 0xc0:
TypeError: ord() expected string of length 1, but int found
26.10.2017 19:34:41 (I) nbxmpp.client_nb: Disconnecting NBClient:
26.10.2017 19:34:41 (I) nbxmpp.plugin: Plugging <nbxmpp.transports_nb.NonBlockingTCP object at 0x7f887be597f0> __OUT__ of <nbxmpp.client_nb.NonBlockingClient object at 0x7f888998f4a8>.
26.10.2017 19:34:41 (E) gajim.c.connection: Connection to proxy failed:
26.10.2017 19:34:41 (D) gajim.c.ged: our-show Args: (<gajim.common.connection_handlers_events.OurShowEvent object at 0x7f887be4eeb8>,)
26.10.2017 19:34:41 (D) gajim.plugin_system: ClientsIconsPlugin.connect_with_roster_draw_contact() <entered>
26.10.2017 19:34:41 (D) gajim.plugin_system: ClientsIconsPlugin.connect_with_roster_draw_contact() <left>
26.10.2017 19:34:41 (D) gajim.conversation_textview: Printed Line: 4, martin ist jetzt Abgemeldet, 1509039281.6551602, inserted after: None, stanza-id: None, correct-id: None
26.10.2017 19:34:41 (D) gajim.plugin_system: ClientsIconsPlugin.connect_with_roster_draw_contact() <entered>
26.10.2017 19:34:41 (D) gajim.plugin_system: ClientsIconsPlugin.connect_with_roster_draw_contact() <left>
26.10.2017 19:34:41 (D) gajim.c.ged: connection-lost Args: (<gajim.common.connection_handlers_events.ConnectionLostEvent object at 0x7f8889987f60>,)
```https://dev.gajim.org/gajim/gajim/-/issues/5294drop python-crypto dependency2018-05-28T16:25:36Zanonymousdrop python-crypto dependencyIt seems to me that gajim requires python-crypto just because of SHA256:
bradford:gajim$ grep -w -r -E 'ARC[24]|Blowfish|CAST|DES|DES3|IDEA|MD[24]|RC5|RIPMED|SHA256|XOR' *
gajim.nsi: File "bin\Crypto.Hash.SHA256.pyd"
...It seems to me that gajim requires python-crypto just because of SHA256:
bradford:gajim$ grep -w -r -E 'ARC[24]|Blowfish|CAST|DES|DES3|IDEA|MD[24]|RC5|RIPMED|SHA256|XOR' *
gajim.nsi: File "bin\Crypto.Hash.SHA256.pyd"
gajim.nsi: Delete "$INSTDIR\bin\Crypto.Hash.SHA256.pyd"
src/common/stanza_session.py: from Crypto.Hash import HMAC, SHA256
src/common/stanza_session.py: self.hash_alg = SHA256
src/common/stanza_session.py: self.hash_alg = SHA256
src/common/stanza_session.py: raise NegotiationError('SHA256(e) != He')
src/common/crypto.py:from Crypto.Hash import SHA256
src/common/crypto.py: sh = SHA256.new()
bradford:gajim$
However, current python includes sha256 in hashlib library:
bradford:gajim$ python
Python 2.6.2 (r262:71600, Aug 21 2009, 12:23:57)
[GCC 4.4.1 20090818 (Red Hat 4.4.1-6)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> dir(hashlib)
['__builtins__', '__doc__', '__file__', '__get_builtin_constructor', '__hash_new', '__name__', '__package__', '__py_new', '_hashlib', 'md5', 'new', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512']
>>>
Philipp Höristphilipp@hoerist.comPhilipp Höristphilipp@hoerist.comhttps://dev.gajim.org/gajim/gajim/-/issues/4954Hide private data when using gajim -v2018-05-09T13:07:49ZanonymousHide private data when using gajim -vI'd like an option to hide vital data like password hash and roster contents when I'm issuing "gajim -v". I don't feel comfortable sharing these type of info in bugreports.I'd like an option to hide vital data like password hash and roster contents when I'm issuing "gajim -v". I don't feel comfortable sharing these type of info in bugreports.https://dev.gajim.org/gajim/gajim/-/issues/8796Using Gajim in Tails2018-04-16T18:33:46ZkUsing Gajim in TailsThe Tails Project is looking to replace Pidgin as their default messenger.
Here's their blueprint: https://tails.boum.org/blueprint/replace_Pidgin/
As you can see, Gajim is listed as a candidate for an alternative messenger.
As part o...The Tails Project is looking to replace Pidgin as their default messenger.
Here's their blueprint: https://tails.boum.org/blueprint/replace_Pidgin/
As you can see, Gajim is listed as a candidate for an alternative messenger.
As part of this alternative messenger evaluation, it was said that
> it would be nice to have info on the blueprint (for the main canditates) about :
>
> underlying technologies being used such as:
> UI toolkit, which matters for accessibility, touch and Wayland support (e.g. in the not so distant past we did things like adding QT4 apps and now that's technical debt we have to deal with)
> programming language (i.e. is it memory safe? is it something statically compiled and if it is, how are security updates managed?)
> any chance it works with Flatpak/Portals or similar sandboxing technologies?
> envisioned update model (i.e. in Debian?)
> for multi-protocol clients, compatibility with modern mobile messaging (or lack thereof, or realistic plans for it)
> project status and long-term viability
> which other OS ships it by default
>
> I'm not saying we have to research all this for all candidates right now: looking at one or two of these criteria might be enough to drop some software from the list of candidates :)
>
> At some point we'll need to look at UX (e.g. desktop integration, how OTR and similar are integrated) too but the above technical criteria are easier for devs to document, and if we can drop a candidate or too this way, less UX evaluation work will be needed.
Any chance one of the gajim devs could answer these questions and either put the answers in this issue or in the Tails issue here? https://labs.riseup.net/code/issues/11686
Also, please let us know if there were any incorrect statements made in the blueprint:
> XMPP client in Debian with plugins for OTR and OMEMO (Signal-like, XEP-0384) but no IRC. Tickets were created and rejected some time ago (#7868 and #11541) but might be worth reconsidering after updating this blueprint (#11686).
>
> People from Security-in-a-Box have used it successfully in Tails.
>
> Gajim ships with a plugin called "plugin installer" which allows a user to download new plugins. This sounds suspicious for security, because plugins are pieces of code running with full privilege. The implementation in Debian use unverified TLS connection, which is very very open to MITM. The development version has switched to verified HTTPS connection and is trying to make it more robust. However, I think that Tails should not ship this plugin at all: it allows a user to download code without needing sudo. We could work debian-side to separate gajim-plugininstaller in a separate package so that Tails can choose not to install it?
I couldn't find a ticket related to verified TLS when I searched for it: https://dev.gajim.org/gajim/gajim/issues?scope=all&utf8=%E2%9C%93&state=closed&search=verified+tls
Is this still only in the development version of Gajim, or has it been moved to the main version? Does anyone have the ticket number so that I can keep up with the progress of this change?
I know that the plugin instaler issue was discussed in the Whonix issue here: https://dev.gajim.org/gajim/gajim/issues/8651
It was said:
> Plugins are just python modules and they run with the same privilege Gajim runs. But you dont have to ship the plugin installer. you can just pick your plugins from the plugin repo here on gitlab and put them after install into usr/share/gajim/plugins. then you just pack plugins you trust.
Perhaps this would work for Tails as well, but I'm assuming that they'd rather only deal with Debian's repos instead of Gajim's gitlab repos. Would making gajim-plugininstaller a seperate package in Debian be something that Gajim would be willing to do if Tails requested this?https://dev.gajim.org/gajim/gajim/-/issues/9179HTTP Upload does not respect trusted (self-signed) SSL/TLS certificates2022-08-18T13:23:44ZGajim UserHTTP Upload does not respect trusted (self-signed) SSL/TLS certificates## Versions
- OS: All
- Gajim version: 1.0.3
- GTK version: 3.22.30
- Python-nbxmpp version: 0.6.6
## Steps to reproduce the problem
1. Use own Jabber Server with TLS encryption and self signed certificate
2. Connect to ow...## Versions
- OS: All
- Gajim version: 1.0.3
- GTK version: 3.22.30
- Python-nbxmpp version: 0.6.6
## Steps to reproduce the problem
1. Use own Jabber Server with TLS encryption and self signed certificate
2. Connect to own server using Gajim
3. Get unknown certificate warning
4. Verify fingerprint and accept new certificate
5. Use Send File -> HTTP Upload or receive File via HTTP Upload
## Expected behavior
Image is uploaded or received
## Actual behavior
Image is not uploaded or displayed
## Background information
The HTTP Upload uses the certificates from the python distribution located in Gajim program folder under Gajim\lib\python3.6\site-packages\certifi\cacert.pem
The connection cerfificate is not added to this list, nor a "local" list of trusted certificates is used.
## Bug evasion
Add your certificate to Gajim\lib\python3.6\site-packages\certifi\cacert.pem
(Problematic under Windows, as this file is owned by the system)
## Bug solving proposal
Make HTTP Upload use the locally accepted certificates list in addition to the python list.1.2.0https://dev.gajim.org/gajim/gajim/-/issues/9213Use different socks user name per account (Tor)2020-03-12T22:43:25ZHulaHoopWhonixUse different socks user name per account (Tor)Hi Whonix dev here. We are working hard to integrate your chat client in our anonymity distro and we discussed some topics about it before. We make heavy use of Tor's stream isolation feature to disassociate different applications' traff...Hi Whonix dev here. We are working hard to integrate your chat client in our anonymity distro and we discussed some topics about it before. We make heavy use of Tor's stream isolation feature to disassociate different applications' traffic from each other. One way to go about this depends on how program in question interacts with the socks interface.
Does gajim automatically sets a socks user/password if using Tor?https://dev.gajim.org/gajim/gajim/-/issues/9568Not able to login on nimbuzz.com server2019-02-05T07:54:38ZAmandeepNot able to login on nimbuzz.com server**Please first check if another issue has been opened for your problem**
## Versions
- OS: Ubuntu 18.04.1 LTS
- Gajim version: 1.1.2+14b4488b0
- GTK version: 3.22.30
- Python-nbxmpp version: 0.6.9
## Steps to reproduce the pro...**Please first check if another issue has been opened for your problem**
## Versions
- OS: Ubuntu 18.04.1 LTS
- Gajim version: 1.1.2+14b4488b0
- GTK version: 3.22.30
- Python-nbxmpp version: 0.6.9
## Steps to reproduce the problem
NA, I dont know how to fix it. I am attaching screenshot of XML console. Plese help.
## Expected behavior
I should able to login using my nimbuzz account. I am able to login using PSI app. But I like gajim more. Plese help.![Screenshot_from_2019-02-02_18-14-54](/uploads/fb4d974e5d96d593a586a2b58f33d454/Screenshot_from_2019-02-02_18-14-54.png)
## Actual behavior
Not able to login. It shows cannot connect to nimbuzz.com popup.https://dev.gajim.org/gajim/gajim/-/issues/9573Connecting to an onion service leaks DNS requests to clearnet2019-03-16T15:19:53ZGhost UserConnecting to an onion service leaks DNS requests to clearnetUpon connecting to any .onion account/server the client performs a DNS lookup for _xmppconnect.[...].onion which leaks the requested onion service to the users DNS resolver and its upstreams.
You can watch this happen by running `sudo t...Upon connecting to any .onion account/server the client performs a DNS lookup for _xmppconnect.[...].onion which leaks the requested onion service to the users DNS resolver and its upstreams.
You can watch this happen by running `sudo tcpdump udp port 53 -vv -X` in any terminal window and then connecting to any (valid or not) .onion.
I don't python, but a patch like the following should fix the issue
```patch
diff --git a/gajim/common/connection.py b/gajim/common/connection.py
index 571e00d30..90b0bafd0 100644
--- a/gajim/common/connection.py
+++ b/gajim/common/connection.py
@@ -1078,12 +1078,16 @@ class Connection(CommonConnection, ConnectionHandlers):
h = hostname
p = 5222
ssl_p = 5223
+ use_txt = True
if use_custom:
h = custom_h
p = custom_p
ssl_p = custom_p
if not self.redirected:
use_srv = False
+ if h.endswith('.onion'):
+ use_srv = False
+ use_txt = False
self.redirected = None
# SRV resolver
@@ -1095,7 +1099,7 @@ class Connection(CommonConnection, ConnectionHandlers):
]
self._hostname = hostname
- if h:
+ if h and use_txt:
app.resolver.resolve('_xmppconnect.' + helpers.idn_to_ascii(h),
self._on_resolve_txt, type_='txt')
```https://dev.gajim.org/gajim/gajim/-/issues/9592plain text password in Config2019-07-25T07:21:48ZCitrodataplain text password in Config## Versions
- OS: Windows 7 (Version 6.1, Build 7601 SP1)
- Gajim version: 1.1.2 (tested with portable version and installer version)
- GTK version: 3.24.1
- PyObject version: 3.30.4
- Python-nbxmpp version: 0.6.9
## Steps to...## Versions
- OS: Windows 7 (Version 6.1, Build 7601 SP1)
- Gajim version: 1.1.2 (tested with portable version and installer version)
- GTK version: 3.24.1
- PyObject version: 3.30.4
- Python-nbxmpp version: 0.6.9
## Steps to reproduce the problem
1. install Gajim
2. create a new user account, activate password saving
3. take a look in the Gajim config file (%appdata%\Gajim\Config), as expected the password was saved in a crypted way (keyring:)
4. create a second user account, activate password saving too
5. take a look in the Gajim config file (%appdata%\Gajim\Config), the password was saved as plain text
6. the config value use_keyring is activated!
## Expected behavior
- never use plain text password saving
## Actual behavior
- random plain text password saving
- sometimes, on similar Windows desktops, the password of the first account was saved as plain text too (and use_keyring was always enabled)https://dev.gajim.org/gajim/gajim/-/issues/9627PGP-signing packages2019-11-30T22:19:48ZamuzaPGP-signing packagesHi,
I have the OpenPGP public key for asterix@gajim.org (9530 6A3F 5430 B830 FE23 ACEF 838B C515 1E55 26DE). Now I have just downloaded gajim-1.1.2.tar.bz2, however I cannot find its signature.
Is it somewhere?
If you don't sign packa...Hi,
I have the OpenPGP public key for asterix@gajim.org (9530 6A3F 5430 B830 FE23 ACEF 838B C515 1E55 26DE). Now I have just downloaded gajim-1.1.2.tar.bz2, however I cannot find its signature.
Is it somewhere?
If you don't sign packages, please take this issue as a request/suggestion.
Thank you.https://dev.gajim.org/gajim/gajim/-/issues/9794Client-side only contacts names2022-12-30T10:21:39ZMarcin MielniczukClient-side only contacts namesAs of 1.1.3, if the contact name is set, it's automatically synchronized with the server. For privacy reasons one may prefer to keep the contact names locally (only on the client side).As of 1.1.3, if the contact name is set, it's automatically synchronized with the server. For privacy reasons one may prefer to keep the contact names locally (only on the client side).https://dev.gajim.org/gajim/gajim/-/issues/9906Sign binaries and release tags with (better) GPG key2023-06-07T22:22:32ZewafSign binaries and release tags with (better) GPG key**Please note by far the quickest way to get a new feature is to file a Merge Request.**
## Description of the new feature
I was a bit disappointed when I found out that you don't sign anything, as Gajim advertises on the front page "C...**Please note by far the quickest way to get a new feature is to file a Merge Request.**
## Description of the new feature
I was a bit disappointed when I found out that you don't sign anything, as Gajim advertises on the front page "Chat securely with End-to-End encryption via OMEMO or PGP.".
I think it is critical for software that may be used by high profile individuals (like whistleblowers) to take security serious. However, you guys only use a 1024 bit RSA key for signing Debian packages and don't sign release tags or binaries which is disappointing.
I suggest that you should get a new GPG key (preferably 4096 bit RSA), always sign release tags and binaries and suggest users to verify downloads.https://dev.gajim.org/gajim/gajim/-/issues/10808Unify Save Conversations and Keep History Setting2022-06-07T13:18:31ZPhilipp Höristphilipp@hoerist.comUnify Save Conversations and Keep History SettingCurrently we have no option "Never" for the Keep History setting.
user are supposed to switch the "Save Conversations" setting to OFF.
We should remove the save conversation setting, and add a "Never" option for the Keep History SettingCurrently we have no option "Never" for the Keep History setting.
user are supposed to switch the "Save Conversations" setting to OFF.
We should remove the save conversation setting, and add a "Never" option for the Keep History Setting1.4.4https://dev.gajim.org/gajim/gajim/-/issues/11276Add ACE setting for opening file uris2022-11-05T21:25:53ZPhilipp Höristphilipp@hoerist.comAdd ACE setting for opening file urisFile uris not be opened by default, this can be a security riskFile uris not be opened by default, this can be a security riskhttps://dev.gajim.org/gajim/gajim/-/issues/11427Enable download/decrypt for shared files when preview is disabled2023-06-15T19:45:19Zxmpp ftwEnable download/decrypt for shared files when preview is disabledWhen file upload preview is disabled, a plaintext "aesgcm" link is displayed in chat. It takes copy/pasting and an external tool (omemo-wget) to open the file.
It makes sense to have a download and open (with default desktop settings / ...When file upload preview is disabled, a plaintext "aesgcm" link is displayed in chat. It takes copy/pasting and an external tool (omemo-wget) to open the file.
It makes sense to have a download and open (with default desktop settings / xdg-open) for the file when preview is disabled, so the user doesn't need external tools.
Why making good UX around disabled preview is important:
- preview leaks IP metadata to a third-party server, unless a proxy is enabled ; opting out of message preview makes such a leak opt-in
- file previews are a well-known vector of attacks (in general, not specific to gajim) ; opting out of message preview makes such a security risk opt-in1.8.1https://dev.gajim.org/gajim/gajim/-/issues/11452AccountWizard: Proxy setting not honored2023-05-05T20:53:34ZkalikoAccountWizard: Proxy setting not honored## Versions
- OS: windows (Portable install)
- Gajim version: 1.7.2
- GTK version:
- Python-nbxmpp version:
## Steps to reproduce the problem
1. Set a global HTTP proxy (no auth)
1. Select the proxy
1. Register a new a...## Versions
- OS: windows (Portable install)
- Gajim version: 1.7.2
- GTK version:
- Python-nbxmpp version:
## Steps to reproduce the problem
1. Set a global HTTP proxy (no auth)
1. Select the proxy
1. Register a new account on a server with xep-0156 HTTP Lookup Method
## Expected behavior
Connect with xep-0156 HTTP Lookup Method using a proxy.
## Actual behavior
From the log (cf. attached) I can see nbxmpp.http is creating requests for two http resources (`updates.json` and `package_index.json`), these requests succeed.
Then I add my account and the request on the `.well-known/host-meta` clearly fails on a timeout.
I can confirm that going through the proxy to fetch this resource is working fine outside gajim.
I had to set a proxy explicitly because I think gajim is not grabbing system exposed proxy (env. var.).
At least, when I set the proxy in gajim I can see some http requests going through (updates and package_index).
[gajim.log](/uploads/a87c305b371a36cb96e2768211a47147/gajim.log)1.8.0https://dev.gajim.org/gajim/gajim/-/issues/11654Notify about certificate fingerprint changes2024-02-11T21:29:13ZPolarianpolarian@polarian.devNotify about certificate fingerprint changes**Please note by far the quickest way to get a new feature is to file a Merge Request.**
## Description of the new feature
In light oh the [MitM attack](https://notes.valdikss.org.ru/jabber.ru-mitm/) which is going around XMPP communit...**Please note by far the quickest way to get a new feature is to file a Merge Request.**
## Description of the new feature
In light oh the [MitM attack](https://notes.valdikss.org.ru/jabber.ru-mitm/) which is going around XMPP communities over the past few days, I suggest that gajim warns the user when the server fingerprint changes and forcing them to manually acknowledge this change.
[Claws mail](https://www.claws-mail.org/) does this when the server fingerprint changes. I feel this would be a first point at which a MitM attack could be caught, if a certificate is renewed too soon (say if it still has 60 days left on it, it would be pretty unusual to renew it until it hits 30 days).https://dev.gajim.org/gajim/gajim/-/issues/11749Encryption-by-default appears to only work for 1:1 chats2024-03-05T22:44:27ZMarcin MielniczukEncryption-by-default appears to only work for 1:1 chatsThe feature was introduced in https://dev.gajim.org/gajim/gajim/-/merge_requests/965, however, as of 1.8.4, groupchats do not respect this setting.
I will try to debug it in the coming weeks.The feature was introduced in https://dev.gajim.org/gajim/gajim/-/merge_requests/965, however, as of 1.8.4, groupchats do not respect this setting.
I will try to debug it in the coming weeks.Next Release