"Invalid certificate chain"?

Ethan Blanton elb at pidgin.im
Tue Jul 15 21:44:57 EDT 2008

Mark Doliner spake unto us the following wisdom:
> I'm unable to login to an XMPP account on the server jabber.ccc.de
> using libpurple when compiled with GnuTLS (I think we don't check
> certificates when using Mozilla-NSS?).  I get the "Invalid certificate
> chain" error that comes from libpurple/certificate.c:1339.  There's a
> note there that says, "TODO: Probably wrong."  Does anyone understand
> what it means to have an invalid certificate chain?  Is this less
> secure than a simple self-signed certificate?  Do we really want to
> not allow connecting to servers with invalid certificate chains?  Is
> this something we should prompt the user about?

What revision are you using?  I added the CA for that server on July
4, in revision ffcb4d5cb92af02af4c4fbac964ac5699071d29a.  If you're
using a revision prior to that, you'll get this error; if you're
getting an error since then, it's something more complicated.

I agree that our current situation seems too drastic; we probably
should have an "I know this is busted, use it anyway" option.


The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://pidgin.im/pipermail/devel/attachments/20080715/1f343314/attachment.sig>

More information about the Devel mailing list