problems with MSN certificate chain

David Woolley forums at david-woolley.me.uk
Fri Jan 18 08:44:02 EST 2013 

David Woolley wrote:

> 
> I tried using a Windows Pidgin (probably a little dated).  This also 

2.10.3, so not that dated.

> produces a certificate warning, but I imagine most Windows users would 
> just select the option to ignore the problem.
> 
> Looking at the certificate, I think the problem is that the certificate 
> is for contacts.msn.com, but the server is local-bay.contacts.msn.com. 
> An earlier certificate for a server in the contacts.msn.com domain 
> (omega.contacts.msn.com) seems to be a wild card certificate (Subject: 
> *.contacts.msn.com).

Although the lack of wild card may be a problem, based on off list 
information from Matthias, it looks like Pidgin doesn't use the OS root 
certificates, even on Windows.

In my case, the intermediate certificate for Microsoft Internet 
Authority has expired.  My guess is that Pidgin only checks the chain 
when it sees a new certificate, so an out of date certificate may not 
show up immediately.

To the extent that that is the problem, simply replacing the .pem file 
with a current one, should sort the problem.  I don't know if you will 
then get an error because of the wild card problem.  The safest way to 
do this is probably to extract the current certificate from a web 
browser. Simply publishing the certificate on the internet is not safe, 
as most people, particular on non-Windows systems, will not be able to 
validate it properly against the Baltimore Cyber Trust one.

If exporting from Windows, you probably need the base 64 option when 
doing copy to file.

As I'm not actively using Pidgin for MSN, I don't want to download the 
latest Pidgin in peak time, but if anyone else could check the expiry 
date on the certificate, it would be useful.  On Windows it is in 
\program files\pidgin\ca-certs.  You will need to copy it to a .cer name 
before you can launch the Windows certificate viewer.

According to Matthias, on *nix, it is under 
/usr/local/share/purple/ca-certs.  You will probably need to use OpenSSL 
to view the details.
> 



-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

More information about the Support mailing list