"Invalid certificate chain"?

Andreas Monitzer pidgin at monitzer.com
Tue Jul 15 16:12:52 EDT 2008


On Jul 15, 2008, at 21:50, Mark Doliner wrote:

> I'm unable to login to an XMPP account on the server jabber.ccc.de
> using libpurple when compiled with GnuTLS (I think we don't check
> certificates when using Mozilla-NSS?).  I get the "Invalid certificate
> chain" error that comes from libpurple/certificate.c:1339.  There's a
> note there that says, "TODO: Probably wrong."  Does anyone understand
> what it means to have an invalid certificate chain?  Is this less
> secure than a simple self-signed certificate?  Do we really want to
> not allow connecting to servers with invalid certificate chains?  Is
> this something we should prompt the user about?

FYI, other than not knowing about the CAcert Root Cert, Mac OS X does  
not have any problems with that certificate (using my cdsa-plugin for  
libpurple).

A failed cert check generally means that you know that you're  
connected to someone talking proper TLS, but you can't verify who this  
peer is. You're practically invulnerable to plain snooping, but you're  
vulnerable to MitM-attacks.

Adium also presents an error when a cert check fails, but allows the  
user to proceed anyways. It's also possible to disable the cert check  
on a per-account basis.

andy




More information about the Devel mailing list