[Pidgin] #4725: Look deep into SSL certificate chain for issuers

Pidgin trac at pidgin.im
Wed Feb 20 20:40:23 EST 2008


#4725: Look deep into SSL certificate chain for issuers
------------------------+---------------------------------------------------
  Reporter:  wehlhard   |       Owner:       
      Type:  defect     |      Status:  new  
  Priority:  minor      |   Milestone:       
 Component:  libpurple  |     Version:  2.3.1
Resolution:             |    Keywords:       
   Pending:  0          |  
------------------------+---------------------------------------------------
Old description:

> The following certificate chain should be valid, even though the
> signatures are not in order.
>

>
> (16:37:17) account: Connecting to account XXXXXXX at jabber.wit.edu.pl/Home
> (16:37:17) connection: Connecting. gc = 0x81a170
> (16:37:17) dnssrv: querying SRV record for _xmpp-
> client._tcp.jabber.wit.edu.pl
> (16:37:17) dnssrv: found 0 SRV entries
> (16:37:17) dns: DNS query for 'jabber.wit.edu.pl' queued
> (16:37:17) dns: Created new DNS child 11558, there are now 1 children.
> (16:37:17) dns: Successfully sent DNS request to child 11558
> (16:37:17) dns: Got response for 'jabber.wit.edu.pl'
> (16:37:17) dnsquery: IP resolved for jabber.wit.edu.pl
> (16:37:17) proxy: Attempting connection to 213.135.44.44
> (16:37:17) proxy: Connecting to jabber.wit.edu.pl:5222 with no proxy
> (16:37:17) proxy: Connection in progress
> (16:37:17) proxy: Connected to jabber.wit.edu.pl:5222.
> (16:37:17) jabber: Sending: <?xml version='1.0' ?>
> (16:37:17) jabber: Sending: <stream:stream to='jabber.wit.edu.pl'
> xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
> version='1.0'>
> (16:37:17) jabber: Recv (191): <?xml version='1.0'?><stream:stream
> xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client'
> from='jabber.wit.edu.pl' version='1.0'
> id='5ffnpytmt2kv47ef7x47ncktkzbgeebjtr6ip04j'>
> (16:37:17) jabber: Recv (205): <stream:features
> xmlns:stream='http://etherx.jabber.org/streams'><starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls><auth
> xmlns='http://jabber.org/features/iq-auth'/></stream:features>
> (16:37:17) jabber: Sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-
> tls'/>
> (16:37:17) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns
> :xmpp-tls'/>
> (16:37:17) gnutls: Starting handshake with jabber.wit.edu.pl
> (16:37:18) gnutls: Handshake complete
> (16:37:18) gnutls/x509: Key print:
> 8a:0f:7f:8d:6f:c2:3c:26:8c:b0:3d:3e:6a:4c:5a:83:fe:3a:46:10
> (16:37:18) gnutls/x509: Key print:
> 7a:01:f0:22:a2:02:42:45:7d:75:36:09:df:ff:00:35:e4:a2:33:f4
> (16:37:18) gnutls/x509: Key print:
> 80:c3:bb:cc:87:e1:0f:28:43:8b:7b:b8:f0:74:b9:7b:f9:c0:0d:f7
> (16:37:18) gnutls/x509: Key print:
> 06:6f:c8:54:cc:cd:73:95:21:af:ee:ef:0c:43:ff:cd:6a:11:6b:bf
> (16:37:18) gnutls/x509: Key print:
> 2e:de:f1:e8:66:d8:51:13:0d:a4:3d:b8:ec:d3:26:c8:43:d0:7e:ea
> (16:37:18) gnutls/x509: Key print:
> 62:52:dc:40:f7:11:43:a2:2f:de:9e:f7:34:8e:06:42:51:b1:81:18
> (16:37:18) gnutls: Peer provided 6 certs
> (16:37:18) gnutls: Lvl 0 SHA1 fingerprint:
> 8a:0f:7f:8d:6f:c2:3c:26:8c:b0:3d:3e:6a:4c:5a:83:fe:3a:46:10
> (16:37:18) gnutls: Serial: 03:b9:1c
> (16:37:18) gnutls: Cert DN: C=PL,O=Wyzsza Szkola Informatyki Stosowanej i
> Zarzadzania,OU=Laboratoria
> Komputerowe,CN=jabber.wit.edu.pl,EMAIL=admin at wit.edu.pl
> (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum
> Level III
> (16:37:18) gnutls: Lvl 1 SHA1 fingerprint:
> 7a:01:f0:22:a2:02:42:45:7d:75:36:09:df:ff:00:35:e4:a2:33:f4
> (16:37:18) gnutls: Serial: 01:00:21
> (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level I
> (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
> (16:37:18) gnutls: Lvl 2 SHA1 fingerprint:
> 80:c3:bb:cc:87:e1:0f:28:43:8b:7b:b8:f0:74:b9:7b:f9:c0:0d:f7
> (16:37:18) gnutls: Serial: 01:00:22
> (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level II
> (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
> (16:37:18) gnutls: Lvl 3 SHA1 fingerprint:
> 06:6f:c8:54:cc:cd:73:95:21:af:ee:ef:0c:43:ff:cd:6a:11:6b:bf
> (16:37:18) gnutls: Serial: 01:00:23
> (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level III
> (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
> (16:37:18) gnutls: Lvl 4 SHA1 fingerprint:
> 2e:de:f1:e8:66:d8:51:13:0d:a4:3d:b8:ec:d3:26:c8:43:d0:7e:ea
> (16:37:18) gnutls: Serial: 01:00:24
> (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level IV
> (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
> (16:37:18) gnutls: Lvl 5 SHA1 fingerprint:
> 62:52:dc:40:f7:11:43:a2:2f:de:9e:f7:34:8e:06:42:51:b1:81:18
> (16:37:18) gnutls: Serial: 01:00:20
> (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
> (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
> (16:37:18) certificate/x509/tls_cached: Starting verify for
> jabber.wit.edu.pl
> (16:37:18) certificate/x509/tls_cached: Checking for cached cert...
> (16:37:18) certificate/x509/tls_cached: ...Found cached cert
> (16:37:18) gnutls: Attempting to load X.509 certificate from
> /home/faustov/.purple/certificates/x509/tls_peers/jabber.wit.edu.pl
> (16:37:18) certificate/x509/tls_cached: Peer cert did NOT match cached
> (16:37:18) certificate/x509/tls_cached: Certificate for jabber.wit.edu.pl
> does not match cached. Auto-rejecting!
> (16:37:18) certificate: Failed to verify certificate for
> jabber.wit.edu.pl
> (16:37:18) dbus: Need to register an object with the dbus subsystem. (If
> you are not a developer, please ignore this message.)
> (16:37:18) dbus: The signal "account-error-changed" caused some dbus
> error. (If you are not a developer, please ignore this message.)
> (16:37:18) g_log: file dbus-server.c: line 735
> (purple_dbus_message_append_purple_values): should not be reached
> (16:37:18) dbus: The signal "connection-error" caused some dbus error.
> (If you are not a developer, please ignore this message.)
> (16:37:18) account: Disconnecting account 0x74aca0
> (16:37:18) connection: Disconnecting connection 0x81a170
> (16:37:18) connection: Destroying connection 0x81a170
> (16:37:22) util: Writing file accounts.xml to directory
> /home/faustov/.purple
> (16:37:22) util: Writing file /home/faustov/.purple/accounts.xml

New description:

 The following certificate chain should be valid, even though the
 signatures are not in order.


 {{{
 (16:37:17) account: Connecting to account XXXXXXX at jabber.wit.edu.pl/Home
 (16:37:17) connection: Connecting. gc = 0x81a170
 (16:37:17) dnssrv: querying SRV record for _xmpp-
 client._tcp.jabber.wit.edu.pl
 (16:37:17) dnssrv: found 0 SRV entries
 (16:37:17) dns: DNS query for 'jabber.wit.edu.pl' queued
 (16:37:17) dns: Created new DNS child 11558, there are now 1 children.
 (16:37:17) dns: Successfully sent DNS request to child 11558
 (16:37:17) dns: Got response for 'jabber.wit.edu.pl'
 (16:37:17) dnsquery: IP resolved for jabber.wit.edu.pl
 (16:37:17) proxy: Attempting connection to 213.135.44.44
 (16:37:17) proxy: Connecting to jabber.wit.edu.pl:5222 with no proxy
 (16:37:17) proxy: Connection in progress
 (16:37:17) proxy: Connected to jabber.wit.edu.pl:5222.
 (16:37:17) jabber: Sending: <?xml version='1.0' ?>
 (16:37:17) jabber: Sending: <stream:stream to='jabber.wit.edu.pl'
 xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'
 version='1.0'>
 (16:37:17) jabber: Recv (191): <?xml version='1.0'?><stream:stream
 xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client'
 from='jabber.wit.edu.pl' version='1.0'
 id='5ffnpytmt2kv47ef7x47ncktkzbgeebjtr6ip04j'>
 (16:37:17) jabber: Recv (205): <stream:features
 xmlns:stream='http://etherx.jabber.org/streams'><starttls
 xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls><auth
 xmlns='http://jabber.org/features/iq-auth'/></stream:features>
 (16:37:17) jabber: Sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-
 tls'/>
 (16:37:17) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-
 tls'/>
 (16:37:17) gnutls: Starting handshake with jabber.wit.edu.pl
 (16:37:18) gnutls: Handshake complete
 (16:37:18) gnutls/x509: Key print:
 8a:0f:7f:8d:6f:c2:3c:26:8c:b0:3d:3e:6a:4c:5a:83:fe:3a:46:10
 (16:37:18) gnutls/x509: Key print:
 7a:01:f0:22:a2:02:42:45:7d:75:36:09:df:ff:00:35:e4:a2:33:f4
 (16:37:18) gnutls/x509: Key print:
 80:c3:bb:cc:87:e1:0f:28:43:8b:7b:b8:f0:74:b9:7b:f9:c0:0d:f7
 (16:37:18) gnutls/x509: Key print:
 06:6f:c8:54:cc:cd:73:95:21:af:ee:ef:0c:43:ff:cd:6a:11:6b:bf
 (16:37:18) gnutls/x509: Key print:
 2e:de:f1:e8:66:d8:51:13:0d:a4:3d:b8:ec:d3:26:c8:43:d0:7e:ea
 (16:37:18) gnutls/x509: Key print:
 62:52:dc:40:f7:11:43:a2:2f:de:9e:f7:34:8e:06:42:51:b1:81:18
 (16:37:18) gnutls: Peer provided 6 certs
 (16:37:18) gnutls: Lvl 0 SHA1 fingerprint:
 8a:0f:7f:8d:6f:c2:3c:26:8c:b0:3d:3e:6a:4c:5a:83:fe:3a:46:10
 (16:37:18) gnutls: Serial: 03:b9:1c
 (16:37:18) gnutls: Cert DN: C=PL,O=Wyzsza Szkola Informatyki Stosowanej i
 Zarzadzania,OU=Laboratoria
 Komputerowe,CN=jabber.wit.edu.pl,EMAIL=admin at wit.edu.pl
 (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum
 Level III
 (16:37:18) gnutls: Lvl 1 SHA1 fingerprint:
 7a:01:f0:22:a2:02:42:45:7d:75:36:09:df:ff:00:35:e4:a2:33:f4
 (16:37:18) gnutls: Serial: 01:00:21
 (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level I
 (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
 (16:37:18) gnutls: Lvl 2 SHA1 fingerprint:
 80:c3:bb:cc:87:e1:0f:28:43:8b:7b:b8:f0:74:b9:7b:f9:c0:0d:f7
 (16:37:18) gnutls: Serial: 01:00:22
 (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level II
 (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
 (16:37:18) gnutls: Lvl 3 SHA1 fingerprint:
 06:6f:c8:54:cc:cd:73:95:21:af:ee:ef:0c:43:ff:cd:6a:11:6b:bf
 (16:37:18) gnutls: Serial: 01:00:23
 (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level III
 (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
 (16:37:18) gnutls: Lvl 4 SHA1 fingerprint:
 2e:de:f1:e8:66:d8:51:13:0d:a4:3d:b8:ec:d3:26:c8:43:d0:7e:ea
 (16:37:18) gnutls: Serial: 01:00:24
 (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum Level IV
 (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
 (16:37:18) gnutls: Lvl 5 SHA1 fingerprint:
 62:52:dc:40:f7:11:43:a2:2f:de:9e:f7:34:8e:06:42:51:b1:81:18
 (16:37:18) gnutls: Serial: 01:00:20
 (16:37:18) gnutls: Cert DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
 (16:37:18) gnutls: Cert Issuer DN: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
 (16:37:18) certificate/x509/tls_cached: Starting verify for
 jabber.wit.edu.pl
 (16:37:18) certificate/x509/tls_cached: Checking for cached cert...
 (16:37:18) certificate/x509/tls_cached: ...Found cached cert
 (16:37:18) gnutls: Attempting to load X.509 certificate from
 /home/faustov/.purple/certificates/x509/tls_peers/jabber.wit.edu.pl
 (16:37:18) certificate/x509/tls_cached: Peer cert did NOT match cached
 (16:37:18) certificate/x509/tls_cached: Certificate for jabber.wit.edu.pl
 does not match cached. Auto-rejecting!
 (16:37:18) certificate: Failed to verify certificate for jabber.wit.edu.pl
 (16:37:18) dbus: Need to register an object with the dbus subsystem. (If
 you are not a developer, please ignore this message.)
 (16:37:18) dbus: The signal "account-error-changed" caused some dbus
 error. (If you are not a developer, please ignore this message.)
 (16:37:18) g_log: file dbus-server.c: line 735
 (purple_dbus_message_append_purple_values): should not be reached
 (16:37:18) dbus: The signal "connection-error" caused some dbus error. (If
 you are not a developer, please ignore this message.)
 (16:37:18) account: Disconnecting account 0x74aca0
 (16:37:18) connection: Disconnecting connection 0x81a170
 (16:37:18) connection: Destroying connection 0x81a170
 (16:37:22) util: Writing file accounts.xml to directory
 /home/faustov/.purple
 (16:37:22) util: Writing file /home/faustov/.purple/accounts.xml
 }}}

-- 
Ticket URL: <http://developer.pidgin.im/ticket/4725#comment:3>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list