"Invalid certificate chain"?

Peter Saint-Andre stpeter at stpeter.im
Tue Jul 15 16:28:21 EDT 2008


Andreas Monitzer wrote:
> On Jul 15, 2008, at 21:50, Mark Doliner wrote:
> 
>> I'm unable to login to an XMPP account on the server jabber.ccc.de
>> using libpurple when compiled with GnuTLS (I think we don't check
>> certificates when using Mozilla-NSS?).  I get the "Invalid certificate
>> chain" error that comes from libpurple/certificate.c:1339.  There's a
>> note there that says, "TODO: Probably wrong."  Does anyone understand
>> what it means to have an invalid certificate chain?  Is this less
>> secure than a simple self-signed certificate?  Do we really want to
>> not allow connecting to servers with invalid certificate chains?  Is
>> this something we should prompt the user about?
> 
> FYI, other than not knowing about the CAcert Root Cert, Mac OS X does  
> not have any problems with that certificate (using my cdsa-plugin for  
> libpurple).
> 
> A failed cert check generally means that you know that you're  
> connected to someone talking proper TLS, but you can't verify who this  
> peer is. You're practically invulnerable to plain snooping, but you're  
> vulnerable to MitM-attacks.

Right. In practice it could mean that you don't know the root cert, that 
the peer (here an XMPP server) has not presented the full certificate 
chain (e.g. for certs issued by xmpp.net the peer needs to present the 
domain cert and the cert of the intermediate CA), etc. So many things 
can go wrong with certificates... ;-)

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://pidgin.im/pipermail/devel/attachments/20080715/af97af2f/attachment-0002.bin>


More information about the Devel mailing list