"Invalid certificate chain"?
Mark Doliner
mark at kingant.net
Wed Oct 22 13:49:36 EDT 2008
2008/7/15 Peter Saint-Andre <stpeter at stpeter.im>:
> Andreas Monitzer wrote:
>> On Jul 15, 2008, at 21:50, Mark Doliner wrote:
>>> I'm unable to login to an XMPP account on the server jabber.ccc.de
>>> using libpurple when compiled with GnuTLS (I think we don't check
>>> certificates when using Mozilla-NSS?). I get the "Invalid certificate
>>> chain" error that comes from libpurple/certificate.c:1339. There's a
>>> note there that says, "TODO: Probably wrong." Does anyone understand
>>> what it means to have an invalid certificate chain? Is this less
>>> secure than a simple self-signed certificate? Do we really want to
>>> not allow connecting to servers with invalid certificate chains? Is
>>> this something we should prompt the user about?
>>
>> FYI, other than not knowing about the CAcert Root Cert, Mac OS X does not
>> have any problems with that certificate (using my cdsa-plugin for
>> libpurple).
>>
>> A failed cert check generally means that you know that you're connected
>> to someone talking proper TLS, but you can't verify who this peer is.
>> You're practically invulnerable to plain snooping, but you're vulnerable to
>> MitM-attacks.
>
> Right. In practice it could mean that you don't know the root cert, that the
> peer (here an XMPP server) has not presented the full certificate chain
> (e.g. for certs issued by xmpp.net the peer needs to present the domain cert
> and the cert of the intermediate CA), etc. So many things can go wrong with
> certificates... ;-)
FYI this is because a certificate in the certificate chain is signed
using RSA-MD2 or RSA-MD5, and these two digital signature algorithms
are considered broken. For more information see "Trading Security for
Interoperability" at
http://www.gnu.org/software/gnutls/manual/html_node/Digital-signatures.html
Our trac ticket for dealing with this is:
http://developer.pidgin.im/ticket/4458
-Mark
More information about the Devel
mailing list