"Invalid certificate chain"?
Andreas Monitzer
pidgin at monitzer.com
Tue Jul 15 16:12:52 EDT 2008
On Jul 15, 2008, at 21:50, Mark Doliner wrote:
> I'm unable to login to an XMPP account on the server jabber.ccc.de
> using libpurple when compiled with GnuTLS (I think we don't check
> certificates when using Mozilla-NSS?). I get the "Invalid certificate
> chain" error that comes from libpurple/certificate.c:1339. There's a
> note there that says, "TODO: Probably wrong." Does anyone understand
> what it means to have an invalid certificate chain? Is this less
> secure than a simple self-signed certificate? Do we really want to
> not allow connecting to servers with invalid certificate chains? Is
> this something we should prompt the user about?
FYI, other than not knowing about the CAcert Root Cert, Mac OS X does
not have any problems with that certificate (using my cdsa-plugin for
libpurple).
A failed cert check generally means that you know that you're
connected to someone talking proper TLS, but you can't verify who this
peer is. You're practically invulnerable to plain snooping, but you're
vulnerable to MitM-attacks.
Adium also presents an error when a cert check fails, but allows the
user to proceed anyways. It's also possible to disable the cert check
on a per-account basis.
andy
More information about the Devel
mailing list