problems with MSN certificate chain
David Woolley
forums at david-woolley.me.uk
Fri Jan 18 11:34:03 EST 2013
Ethan Blanton wrote:
>
> On Windows, we don't use the system store. I don't know why not, I
> assume it's painful, probably because of poor OS design and
> implementation.
Probably because one would have to use all of the Windows public key
infrastructure, instead of the open source implementation.
The non-Windows ones are probably designed for use with OpenSSL.
In Matthias' case, he ran a system call trace, and Pidgin is using
/usr/local/share/purple/ca-certs, which is clearly a private store in
Pidgin. This is on FreeBSD.
The Microsoft Internet Authority certificate in 2.10.3 expired in
February 2011. My Windows copy was installed in March 2012 and would
have been current, then.
It looks like the Microsoft Internet Authority certificate in the source
tarball for 2.10.6 is also expired (on February 19th 2011), even though
the extracted file is dated 2012-07-01. As that is the current
version, there is definitely a *problem* with Pidgin on any system using
the certificates it provides.
(As it looks like Pidgin caches the server certificates, I suspect the
problem only shows up when people use a server they weren't previously
using, or which, itself, has expired. On the other hand, it should not
be using a certificate that is past the lowest expiry date of any
certificate on its chain.)
--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
More information about the Support
mailing list