MSN certificate validation issues

Stu Tomlinson stu at nosnilmot.com
Fri Nov 19 15:47:38 EST 2010


Dear Packagers,

You have probably received reports of users being unable to connect to
MSN in Pidgin recently, with this error being reported :
"Unable to validate certificate.
The certificate for omega.contacts.msn.com could not be validated. The
certificate chain presented is invalid."

This is due to Microsoft renewing the certificate in question, but it
was signed by a newer intermediate certificate authority. On at least
some of their servers they have failed to update the certificate chain
that is presented on connection, resulting in an invalid chain that
Pidgin cannot verify.

The fix (until Microsoft fix their servers, if they ever do) is to
include the newer intermediate certificates with Pidgin/libpurple. This
is what we intend to do with Pidgin 2.7.6 due to be released this Sunday
2010-11-21:
http://developer.pidgin.im/viewmtn/revision/info/cd236baf6d00f3e1561a40974ce1828b793ea187

If you wish to provide updates for older versions of Pidgin, the
solution is to install Microsoft_Internet_Authority_2010.pem &
Microsoft_Secure_Server_Authority_2010.pem from the above commit in
$prefix/share/purple/ca-certs

These certificates can be validated against system SSL root CA
certificates using openssl:

$ cat Microsoft_Internet_Authority_2010.pem Microsoft_Secure_Server_Authority_2010.pem | openssl verify
stdin: OK

This issue does not affect the official MSN clients because Microsoft
already include the newer intermediate CA certificates in the Windows CA
store.

Regards,


Stu.



More information about the Packagers mailing list