"Invalid certificate chain"?

Mark Doliner mark at kingant.net
Tue Jul 15 15:50:40 EDT 2008


I'm unable to login to an XMPP account on the server jabber.ccc.de
using libpurple when compiled with GnuTLS (I think we don't check
certificates when using Mozilla-NSS?).  I get the "Invalid certificate
chain" error that comes from libpurple/certificate.c:1339.  There's a
note there that says, "TODO: Probably wrong."  Does anyone understand
what it means to have an invalid certificate chain?  Is this less
secure than a simple self-signed certificate?  Do we really want to
not allow connecting to servers with invalid certificate chains?  Is
this something we should prompt the user about?

FYI you can test this by trying to sign in with an invalid account (so
you don't actually need an account on that server to test it).  And
here's the debug log leading up to the error:

(12:43:28) gnutls: Starting handshake with jabber.ccc.de
(12:43:29) gnutls: Handshake complete
(12:43:29) gnutls/x509: Key print:
bf:bf:96:8d:84:9d:35:8b:e8:7d:e6:7e:10:d2:10:4d:bb:75:fb:47
(12:43:29) gnutls/x509: Key print:
db:4c:42:69:07:3f:e9:c2:a3:7d:89:0a:5c:1b:18:c4:18:4e:2a:2d
(12:43:29) gnutls/x509: Key print:
13:5c:ec:36:f4:9c:b8:e9:3b:1a:b2:70:cd:80:88:46:76:ce:8f:33
(12:43:29) gnutls: Peer provided 3 certs
(12:43:29) gnutls: Lvl 0 SHA1 fingerprint:
bf:bf:96:8d:84:9d:35:8b:e8:7d:e6:7e:10:d2:10:4d:bb:75:fb:47
(12:43:29) gnutls: Serial: 51:3c
(12:43:29) gnutls: Cert DN: C=DE,ST=Hamburg,L=Hamburg,O=Chaos Computer
Club e.V.,CN=jabber.ccc.de,EMAIL=webmaster at ccc.de
(12:43:29) gnutls: Cert Issuer DN: O=CAcert
Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
(12:43:29) gnutls: Lvl 1 SHA1 fingerprint:
db:4c:42:69:07:3f:e9:c2:a3:7d:89:0a:5c:1b:18:c4:18:4e:2a:2d
(12:43:29) gnutls: Serial: 01
(12:43:29) gnutls: Cert DN: O=CAcert
Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
(12:43:29) gnutls: Cert Issuer DN: O=Root
CA,OU=http://www.cacert.org,CN=CA Cert Signing
Authority,EMAIL=support at cacert.org
(12:43:29) gnutls: Lvl 2 SHA1 fingerprint:
13:5c:ec:36:f4:9c:b8:e9:3b:1a:b2:70:cd:80:88:46:76:ce:8f:33
(12:43:29) gnutls: Serial: 00
(12:43:29) gnutls: Cert DN: O=Root CA,OU=http://www.cacert.org,CN=CA
Cert Signing Authority,EMAIL=support at cacert.org
(12:43:29) gnutls: Cert Issuer DN: O=Root
CA,OU=http://www.cacert.org,CN=CA Cert Signing
Authority,EMAIL=support at cacert.org
(12:43:29) certificate/x509/tls_cached: Starting verify for jabber.ccc.de
(12:43:29) certificate/x509/tls_cached: Checking for cached cert...
(12:43:29) certificate/x509/tls_cached: ...Not in cache
(12:43:29) gnutls/x509: Certificate for
C=DE,ST=Hamburg,L=Hamburg,O=Chaos Computer Club
e.V.,CN=jabber.ccc.de,EMAIL=webmaster at ccc.de claims to be issued by
O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root, but the
certificate for C=DE,ST=Hamburg,L=Hamburg,O=Chaos Computer Club
e.V.,CN=jabber.ccc.de,EMAIL=webmaster at ccc.de does not match.
(12:43:29) certificate: Checking signature chain for
uid=C=DE,ST=Hamburg,L=Hamburg,O=Chaos Computer Club
e.V.,CN=jabber.ccc.de,EMAIL=webmaster at ccc.de
(12:43:29) certificate: ...Good signature by O=CAcert
Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
(12:43:29) gnutls/x509: Bad signature for O=Root
CA,OU=http://www.cacert.org,CN=CA Cert Signing
Authority,EMAIL=support at cacert.org on O=CAcert
Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
(12:43:29) certificate: ...Bad or missing signature by O=Root
CA,OU=http://www.cacert.org,CN=CA Cert Signing
Authority,EMAIL=support at cacert.org
Chain is INVALID




More information about the Devel mailing list