Pidgin does not validate correctly certificate chain

Eion Robb eion at robbmob.com
Tue Jul 9 20:00:23 EDT 2019


Hi Luiz,

(looping in devel and security mailing lists)
Apologies for there not being any follow-up to your ticket.  We are just a
bunch of volunteers who work on Pidgin in our spare time, so promptness
isn't always guaranteed.

To help with your ticket, do you have an example server that we can test
against?  a) to test if things are broken using NSS instead of gnutls and
b) to verify any potential fixes?  It's probably safe to say that the setup
you've got isn't the majority of SSL use-cases and I doubt that any of us
who work on Pidgin would have certs in a similar setup.

I see that you've also had a look through how the code works for the gnutls
verification.  Have you had a chance to try fixing the issue yourself?  If
so, are there any patches or PR's that you might be interested in supplying
to help speed things along?

Cheers,
Eion




On Wed, 10 Jul 2019 at 05:44, Luiz Angelo Daros de Luca <luizluca at gmail.com>
wrote:

> Hello,
>
> I've opened a bug report regard this issue.
>
> https://developer.pidgin.im/ticket/17393
>
> But there is no feedback for it. It could even be classified as a security
> bug as
> pidgin/libpurple is not validating certificates correctly, resulting in
> name constraints errors (both validating where it should not and not
> checking it when it should).
>
> Regards,
> ---
>      Luiz Angelo Daros de Luca
>             luizluca at gmail.com
> _______________________________________________
> Support at pidgin.im mailing list
> Want to unsubscribe?  Use this link:
> https://lists.pidgin.im/listinfo/support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.pidgin.im/private/security/attachments/20190710/af322343/attachment.html>


More information about the security mailing list