Frequently Asked Questions - SSL

General Distribution Specific Tips Compiling from source Troubleshooting

General

Introduction
This information was compiled by Stu Tomlinson with much help from #gaim

Read the ChanServ notice? Read the Topic? Read the FAQ? Still having problems getting SSL to work with Gaim? read on, maybe you're in luck. but probably not.

General Notes
Gaim needs to be compiled with SSL support to work with MSN, and for SSL connections on Jabber (where the server supports it). You will need either GnuTLS (and all its dependencies) or Mozilla NSS & NSPR.

Mozilla 1.5 will not provide all the pieces for NSPR & NSS due to breakage in Mozilla that misses out some .h files (or something...). You might be able to install mozilla-{nss,nspr}{,-devel} from 1.4, or install nss from source, in parallel and link against those for Gaim. Or just use GnuTLS.

OpenSSL is not an option for SSL support in Gaim because the OpenSSL license (BSD-style with advertising clause) is not compatible with the Gaim license (GPL).

Distribution Specific Tips

Debian
Use the debs

If you want to compile from source, make sure you have libgnutls11-dev installed. You can ensure you have all the necessary build dependencies installed by running: apt-get build-dep gaim.

Note: libgnutls & libgnutls-dev (from woody) are known to NOT work

Fedora Core (3 & 4)
Use the official Fedora Core packages from a Fedora Core mirror
Fedora Core (1 & 2)
Use the Gaim provided packages : http://sourceforge.net/project/showfiles.php?group_id=235
Gentoo
Gentoo's ebuilds for Gaim should "Just Work". Before you do anything, sync your Portage package database: 
emerge sync

The most recent Gaim version is usually not in Gentoo stable. To ensure you are using the most recent release in Portage, you may add the following line to /etc/portage/package.keywords. If you are not using x86, replace "~x86" with your CPU type, such as "~ppc" or "~sparc": 

net-im/gaim ~x86

Portage will build and install the NSS and NSPR packages automatically if you do not have them. Altenatively, if you add the following line to /etc/portage/package.use, Portage will automatically use GnuTLS instead, building and installing it if necessary: 

net-im/gaim gnutls

After you are satisfied with your configuration, run the following command to install the latest version available in Portage and any dependencies that you need: 

emerge gaim

Also, don't forget that emerge is not a transitive verb!

Linux From Scratch
If you're crazy enough to actually use LFS surely you're crazy enough to figure this out on your own? (or just see below on compiling from source)
Mandrake (10.1)
There are 3rd party RPMs for Mandrake 10.1 here: http://gaim.jesuschrist.be/
Mandrake (9.2 & 10.0)
Use the Gaim provided packages : http://sourceforge.net/project/showfiles.php?group_id=235
Red Hat Linux (9)
Use the Gaim provided packages : http://sourceforge.net/project/showfiles.php?group_id=235
Red Hat Linux (<9)
Please join this century.
Slackware (9.1, 10.0 & 10.1)
There are sometimes 3rd party packages for Slackware 9.1, 10.0 and 10.1 here: http://www.linuxpackages.net/). These packages may depend on other packages available from the same site.

Or you can use the Gaim source, with mozilla-1.4 installed (if you have another version of mozilla, try replacing 1.4 with your version number): 

./configure --with-nss-includes=/usr/include/mozilla-1.4/nss \
--with-nspr-includes=/usr/include/mozilla-1.4/nspr \
--with-nss-libs=/usr/lib/mozilla-1.4 \
--with-nspr-libs=/usr/lib/mozilla-1.4

We are told that recently, Slack removed Mozilla-1.7.5 from Slackware-Current and replaced it with Mozilla-Firefox-1.0.1. This may change the exact location for the paths above.

Also, you'll need to add /usr/lib/mozilla-1.4 to /etc/ld.so.conf and run ldconfig as root

If you have Mozilla Firebird installed instead of plain Mozilla 1.4, you might be able to use the packages mentioned above by adding this directory to /etc/ld.so.conf and running ldconfig as root:

/usr/lib/MozillaFirebird-0.7

This has been reported to work with Mozilla Firebird 0.7, other versions might work but this has not been thoroughly tested.

Firefox also includes the necessary libraries, so if you have a binary package of Gaim that was built with SSL support you may be able to add /usr/lib/firefox to /etc/ld.so.conf and run ldconfig as root.

SuSE (8.2, 9.0, 9.1, 9.2 & 9.3)
There are 3rd party RPMs for SuSE 8.2, 9.0, 9.1 & 9.2 here : http://linux01.gwdg.de/~pbleser/rpm-navigation.php?cat=Network%2Fgaim/

Note: These RPMs use GnuTLS for SSL support, but GnuTLS is not shipped with SuSE. You can get RPMs of GnuTLS (and OpenCDK & libtasn1, which are required by GnuTLS) from the same site.

Note2: SuSE >= 9.1 does include GnuTLS, and you should use the SuSE provided GnuTLS with the Gaim RPM from the above site.

If you wish to compile Gaim from source using Mozilla NSS, there are Mozilla NSS packages available on the same site, here: http://linux01.gwdg.de/~pbleser/rpm-navigation.php?cat=%2FLibraries%2Fmozilla-nss/

Ubuntu (Warty 4.10 & Hoary 5.04)
If you want to compile from source, make sure you have libgnutls10-dev installed.
Lars-Erik Labori provided a nice easy to follow guide:

First of all, you need to remove the old ubuntu Gaim version: 

$ sudo apt-get remove gaim

1. You need to download the latest Gaim source from here.
2. You need to install the GNU TLS library development files: 

$ sudo apt-get install libgnutls10-dev

3. Compile Gaim:

$ ./configure --enable-gnutls=yes
$ sudo make
$ sudo make install

Your new Gaim should be up and running.

FreeBSD (5.1)
Compile from source. See the note below on GnuTLS versions that have been reported to work with *BSD, these tips might also help you:

For i18n to work, you need to have gettext installed. It will probably stuff itself in /usr/local, so you need to configure like this: 

./configure --with-libintl-prefix=/usr/local

Alternatively, if you only need to use English, you can disable i18n (and the dependancy on gettext) by configuring like so: 

./configure --disable-nls

Apparently GnuTLS is no longer working for FreeBSD users (and possibly others), but it (apparently, again) does work with NSS/NSPR from ports (nss-3.8): 

cd /usr/ports/net/gaim ; make WITHOUT_GNUTLS=t WITH_NSS=t WITHOUT_AUDIO=t package clean
OpenBSD (3.4)
Compile from source. See the note below on GnuTLS versions that have been reported to work with *BSD, these tips might also help you:

For i18n to work, you need to have gettext installed. It will probably stuff itself in /usr/local, so you need to configure like this: 

./configure --with-libintl-prefix=/usr/local

Alternatively, if you only need to use English, you can disable i18n (and the dependancy on gettext) by configuring like so: 

./configure --disable-nls
IRIX (6.5)
See this thread at our Sourceforge forum for some steps towards getting Gaim running on IRIX.

Please get in touch if you do manage to make SSL go.

Alternatively, SGI have a package of Gaim 0.64 on their freeware site here: http://freeware.sgi.com/index-by-alpha.html
Note: That is not a current release, and is not supported by Gaim developers or in #gaim.

Solaris
There are 3rd party packages for Solaris here : http://www.blastwave.org/ and here : http://sourceforge.net/project/showfiles.php?group_id=19386&package_id=98537

If you use the package from blastwave.org and get this error: "Fatal: no entropy gathering module detected", make sure that you have the Solaris /dev/random patch installed (Solaris 8 (sparc): 112438, (x86): 112439), and that /dev/random is world readable.

If you're compiling from source, you must make sure everything is compiled using gcc and not Sun's cc

Mac OS X (10.3.1)
Information on setting up GnuTLS can be found at: http://alphamonkey.org/view.php?type=notes&id=309
Win32
Use the Gaim provided packages : http://sourceforge.net/project/showfiles.php?group_id=235
Autopackage
The Gaim Autopackage needs either GnuTLS, or Mozilla NSS & NSPR, just like any other form of Gaim. However, currently it requires a version of GnuTLS with an soversion of 11. A good way to find out is: 
/sbin/ldconfig -p | grep libgnutls
and to look for a "libgnutls.so.11". If you have some other version (version 10 is common), it won't install, unless you have Mozilla NSS & NSPR for it to use instead. You may need to edit either the file /etc/ld.so.conf or the enviromental variable LD_LIBRARY_PATH in order for it to find NSS & NSPR, however, because Mozilla NSS & NSPR are often installed at some place like /usr/lib/mozilla-{version} or /usr/lib/firefox-{version}. See also the hints here for your specific distribution.
SCO (anything, anyversion)
You're kidding, right? This stuff is licensed under the GPL, and SCO don't respect that.

If that isn't enough to get you to use a decent OS, consider this:

"If Darl McBride was in charge, he'd probably make marriage unconstitutional too, since clearly it de-emphasizes the commercial nature of normal human interaction, and probably is a major impediment to the commercial growth of prostitution."

- Linus Torvalds, December 5th 2003.

(Darl McBride is CEO of The SCO Group)

Compiling from source

Note
I strongly recommend you use pre-packaged binaries where possible, however if you MUST use source, these tips might help you. GnuTLS is the (developers) preferred option, but I've witnessed more success with Mozilla NSS & NSPR
Mozilla NSS & NSPR
Mozilla NSS & NSPR can be found here:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/src/nss-3.9.2.tar.gz (despite it's name, it contains both NSS & NSPR) 
--with-{nss,nspr}-includes should point to the directory with the .h files in (eg. nspr.h)
--with-{nss,nspr}-libs should point to the directory with the .so files in (eg. libnss3.so)

If you can't add to /etc/ld.so.conf (or your (*nix) OS doesn't have one) set the LD_LIBRARY_PATH environment variable instead, either before running Gaim or (for bourne shell & bash) on the Gaim command line, eg. csh: 

setenv LD_LIBRARY_PATH /usr/lib/mozilla-1.4

sh/bash: 

LD_LIBRARY_PATH=/usr/lib/mozilla-1.4 ; export LD_LIBRARY_PATH

or sh/bash: run Gaim with this command: 

LD_LIBRARY_PATH=/usr/lib/mozilla-1.4 gaim

If you have multiple versions of Mozilla installed, you might have some problems with which version is detected by ./configure and which libs are used at runtime. This is because, by default, ./configure uses pkg-config to find the Mozilla NSS & NSPR libs and includes. If you explicitly specify the Mozilla libs and includes to use with the --with-nss etc. options to ./configure then pkg-config will not be used, and you might have more success.

The notes below on installing Mozilla NSS & NSPR might also help.

GnuTLS
Thanks to sofar on #gaim for this:

Here's a list in the proper order which you need to install/compile, the versions and links I give compile normally on a reasonably clean system.

libgpg-error (needed by libgcrypt): ftp://ftp.gnupg.org/gcrypt/alpha/libgpg-error/libgpg-error-0.5.tar.gz

libgcrypt (needed by GnuTLS): ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.1.43.tar.gz

libtasn1 (needed by GnuTLS): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/attic/libtasn1-0.2.6.tar.gz

GnuTLS (needed by Gaim): ftp://ftp.gnutls.org/pub/gnutls/attic/gnutls-0.9.91.tar.gz

libopencdk is a PITA, don't use it, GnuTLS will break. Also version 0.9.92 of GnuTLS doesn't compile because the maintainer forgot to add 1 file needed. 0.9.91 works, so just do that.

You shouldn't need to pass any --with-xxx-libs/include to Gaim since everything is by default put in the normal include/lib dirs on my system. If you put any of the libs in obscure places you are daft, just don't do that ;^).

sofar

For FreeBSD (and, it seems, OpenBSD) users:

<synic> ok, gnutls 0.8.10 officially works on FreeBSD
<synic> and 0.8.6 doesn't :)

Thanks synic.

The notes below on installing GnuTLS as non-root might also help.

Non-root (mozilla-{nss,nspr} or GnuTLS already installed)
If you don't have root access on the system you're trying to install Gaim on, you need to configure Gaim to install under your home directory.

eg: 

./configure --prefix=$HOME

If there are additional dependancies required that are not installed on the system, you'll need to install those in a similar manner and pass the correct locations to Gaim's ./configure as shown in the next sections.

Non-root including mozilla-{nss,nspr}
Download NSS & NSPR source from here: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/src/nss-3.9.2.tar.gz

Extract nss-3.9.2.tar.gz 

cd nss-3.9.2/mozilla/security/nss
make nss_build_all
make install

If compiling on Solaris (and maybe other Unixes), the Mozilla build system defaults to using the OS supplied cc even if it's not in the path. You must force the build to use gcc using these make commands instead of the above. Also, make sure you have a relatively recent gcc (3.2.x has been reported to work, 3.1.x has been reported to fail). Thanks to Bill Tompkins for these pointers.


NS_USE_GCC=1 make nss_build_all
NS_USE_GCC=1 make install

On systems where make is not GNU make, use gmake. The above commands will build the libraries without optimizations and with debugging enabled. To build optimized libraries use these commands: 


make BUILD_OPT=1 nss_build_all
make BUILD_OPT=1 install

Then:

mkdir -p $HOME/lib
mkdir -p $HOME/include/nspr
find ../../dist/*/lib -type l \
                \( -name "*.so" -o -name "*.chk" \) \
                -exec cp -L {} $HOME/lib \;
cp -Lr ../../dist/public/* $HOME/include
cp -Lr ../../dist/*/include/* $HOME/include/nspr

The above lines require GNU find & GNU cp, on Solaris you can get these from Sunfreeware.com in the findutils and coreutils packages (remember to make sure the GNU commands are in your path before the OS versions).

Gaim: 

./configure --prefix=$HOME \
--with-nss-includes=$HOME/include/nss \
--with-nspr-includes=$HOME/include/nspr \
--with-nss-libs=$HOME/lib \
--with-nspr-libs=$HOME/lib
make
make install

You should now be able to use Gaim by running $HOME/bin/gaim
In some cases, it might be necessary to set LD_LIBRARY_PATH=$HOME/lib before running Gaim

Non-root including GnuTLS
This has been tested using the exact same versions of applications specified above in the GnuTLS section, with the exception of libtasn1 (GnuTLS actually includes a version of libtasn1 which seems to work).

libgpg-error: 

./configure --prefix=$HOME
make
make install

libgcrypt: 

# fix the configure script!
perl -pi -e 's/ --prefix=\$gpg_error_config_prefix//' configure
./configure --prefix=$HOME --with-gpg-error-prefix=$HOME
make
make install

gnutls: 

LD_LIBRARY_PATH=$HOME/lib ./configure \
                  --prefix=$HOME --with-libgcrypt=$HOME
make
make install

Gaim: 

./configure --prefix=$HOME --enable-gnutls=yes \
--with-gnutls-libs=$HOME/lib \
--with-gnutls-includes=$HOME/include
make
make install

You should now be able to use Gaim by running $HOME/bin/gaim
In some cases, it might be necessary to set LD_LIBRARY_PATH=$HOME/lib before running Gaim (this was not necessary on the tested system)

Troubleshooting

./configure
./configure will tell you when it is finished what SSL implementation is going to be used. You will get one of these 4 lines: 
SSL Library/Libraries......... : None
SSL Library/Libraries......... : Mozilla NSS
SSL Library/Libraries......... : GnuTLS
SSL Library/Libraries......... : Mozilla NSS and GnuTLS

It should be fairly obvious that if it says "None", it is not going to work for you, so you should fix that by making sure you're passing the right --with-xxx-libs & --with-xxx-includes as described above before even bothering to try "make".

Compiling
If ./configure said it was going to compile with SSL but the make fails to build, it is likely that you have a broken installation of the chosen SSL libs. If you did not specify any --with-xxx-libs or --with-xxx-includes when running configure, try explicitly pointing it at your SSL libs & includes.

If it still fails during make, you should probably try the other SSL option and explictly disable the one that failed with --enable-nss=no or --enable-gnutls=no as appropriate.

Runtime
If you've managed to build Gaim, with SSL support reported by ./configure and without any build failures, but when running it still complains, there are a few things you can try.

Make sure that you only have one copy of Gaim installed, it is possible that there is another one in your path that does not have SSL support. You can check which Gaim is being run with "which gaim", or you can be sure to run the version you've just compiled by specifiying the full path to it. Note: ./configure will warn you if it finds an old version of Gaim already installed.

If you are sure that you are running your freshly compiled Gaim, check Gaim's SSL plugin is actually linked to the necessary libs. If you compiled with Mozilla NSS, you can do this (replace /usr/local/lib with the prefix you installed to): 

$ ldd /usr/local/lib/gaim/ssl-nss.so
libnsl.so.1 => /lib/libnsl.so.1 (0x40023000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

That one is NOT linked against NSS, and will not work. Go back to the beginning and try again (or, if you also compiled with GnuTLS, keep reading). 

$ ldd /usr/local/lib/gaim/ssl-nss.so
libnss3.so => /usr/lib/libnss3.so (0x4004e000)
libsmime3.so => /usr/lib/libsmime3.so (0x400b0000)
libssl3.so => /usr/lib/libssl3.so (0x400d0000)
libsoftokn3.so => /usr/lib/libsoftokn3.so (0x400f0000)
libpthread.so.0 => /lib/i686/libpthread.so.0 (0x40155000)
libdl.so.2 => /lib/libdl.so.2 (0x401a5000)
libnsl.so.1 => /lib/libnsl.so.1 (0x401a8000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libplc4.so => /usr/lib/libplc4.so (0x401bf000)
libplds4.so => /usr/lib/libplds4.so (0x401c4000)
libnspr4.so => /usr/lib/libnspr4.so (0x401c7000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

That one is linked against the necessary things, and all libs were found. If any of the bits on the right say "not found", then the compile worked but the libs cannot be found by the dynamic loader. See notes above about /etc/ld.so.conf, ldconfig and the LD_LIBRARY_PATH environment variable.

If you compiled with GnuTLS (or both), the steps to check the Gaim SSL plugin are similar to above, except the file to check is ssl-gnutls.so. The output should look like this if all is good: 

$ ldd /usr/local/lib/gaim/ssl-gnutls.so
libgnutls.so.8 => /usr/lib/libgnutls.so.8 (0x40003000)
libgcrypt.so.7 => /usr/lib/libgcrypt.so.7 (0x4005e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x400c6000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libz.so.1 => /usr/lib/libz.so.1 (0x400dc000)
libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x400ea000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

For completeness, here's the output if it can't find some of the libs: 

libgnutls.so.8 => not found
libgcrypt.so.7 => not found
libnsl.so.1 => /lib/libnsl.so.1 (0x002b7000)
libc.so.6 => /lib/tls/libc.so.6 (0x004f4000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x0088d000)