problems with MSN certificate chain

David Woolley forums at
Fri Jan 18 11:34:03 EST 2013

Ethan Blanton wrote:

> On Windows, we don't use the system store.  I don't know why not, I
> assume it's painful, probably because of poor OS design and
> implementation.

Probably because one would have to use all of the Windows public key 
infrastructure, instead of the open source implementation.

The non-Windows ones are probably designed for use with OpenSSL.

In Matthias' case, he ran a system call trace, and Pidgin is using 
/usr/local/share/purple/ca-certs, which is clearly a private store in 
Pidgin.  This is on FreeBSD.

The Microsoft Internet Authority certificate in 2.10.3 expired in 
February 2011.  My Windows copy was installed in March 2012 and would 
have been current, then.

It looks like the Microsoft Internet Authority certificate in the source 
tarball for 2.10.6 is also expired (on February 19th 2011), even though 
the extracted file is dated  2012-07-01.  As that is the current 
version, there is definitely a *problem* with Pidgin on any system using 
the certificates it provides.

(As it looks like Pidgin caches the server certificates, I suspect the 
problem only shows up when people use a server they weren't previously 
using, or which, itself, has expired.  On the other hand, it should not 
be using a certificate that is past the lowest expiry date of any 
certificate on its chain.)

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

More information about the Support mailing list