"Invalid certificate chain"?

Mark Doliner mark at kingant.net
Wed Oct 22 13:49:36 EDT 2008

2008/7/15 Peter Saint-Andre <stpeter at stpeter.im>:
> Andreas Monitzer wrote:
>> On Jul 15, 2008, at 21:50, Mark Doliner wrote:
>>> I'm unable to login to an XMPP account on the server jabber.ccc.de
>>> using libpurple when compiled with GnuTLS (I think we don't check
>>> certificates when using Mozilla-NSS?).  I get the "Invalid certificate
>>> chain" error that comes from libpurple/certificate.c:1339.  There's a
>>> note there that says, "TODO: Probably wrong."  Does anyone understand
>>> what it means to have an invalid certificate chain?  Is this less
>>> secure than a simple self-signed certificate?  Do we really want to
>>> not allow connecting to servers with invalid certificate chains?  Is
>>> this something we should prompt the user about?
>> FYI, other than not knowing about the CAcert Root Cert, Mac OS X does  not
>> have any problems with that certificate (using my cdsa-plugin for
>>  libpurple).
>> A failed cert check generally means that you know that you're  connected
>> to someone talking proper TLS, but you can't verify who this  peer is.
>> You're practically invulnerable to plain snooping, but you're  vulnerable to
>> MitM-attacks.
> Right. In practice it could mean that you don't know the root cert, that the
> peer (here an XMPP server) has not presented the full certificate chain
> (e.g. for certs issued by xmpp.net the peer needs to present the domain cert
> and the cert of the intermediate CA), etc. So many things can go wrong with
> certificates... ;-)

FYI this is because a certificate in the certificate chain is signed
using RSA-MD2 or RSA-MD5, and these two digital signature algorithms
are considered broken.  For more information see "Trading Security for
Interoperability" at

Our trac ticket for dealing with this is:


More information about the Devel mailing list