problems with MSN certificate chain
forums at david-woolley.me.uk
Fri Jan 18 08:44:02 EST 2013
David Woolley wrote:
> I tried using a Windows Pidgin (probably a little dated). This also
2.10.3, so not that dated.
> produces a certificate warning, but I imagine most Windows users would
> just select the option to ignore the problem.
> Looking at the certificate, I think the problem is that the certificate
> is for contacts.msn.com, but the server is local-bay.contacts.msn.com.
> An earlier certificate for a server in the contacts.msn.com domain
> (omega.contacts.msn.com) seems to be a wild card certificate (Subject:
Although the lack of wild card may be a problem, based on off list
information from Matthias, it looks like Pidgin doesn't use the OS root
certificates, even on Windows.
In my case, the intermediate certificate for Microsoft Internet
Authority has expired. My guess is that Pidgin only checks the chain
when it sees a new certificate, so an out of date certificate may not
show up immediately.
To the extent that that is the problem, simply replacing the .pem file
with a current one, should sort the problem. I don't know if you will
then get an error because of the wild card problem. The safest way to
do this is probably to extract the current certificate from a web
browser. Simply publishing the certificate on the internet is not safe,
as most people, particular on non-Windows systems, will not be able to
validate it properly against the Baltimore Cyber Trust one.
If exporting from Windows, you probably need the base 64 option when
doing copy to file.
As I'm not actively using Pidgin for MSN, I don't want to download the
latest Pidgin in peak time, but if anyone else could check the expiry
date on the certificate, it would be useful. On Windows it is in
\program files\pidgin\ca-certs. You will need to copy it to a .cer name
before you can launch the Windows certificate viewer.
According to Matthias, on *nix, it is under
/usr/local/share/purple/ca-certs. You will probably need to use OpenSSL
to view the details.
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
More information about the Support