[Pidgin] #6680: Offline Message Error - rsi.hotmail.com

Pidgin trac at pidgin.im
Thu Oct 23 11:49:57 EDT 2008 

#6680: Offline Message Error - rsi.hotmail.com
-------------------------------------------------------------------------------------+
 Reporter:  aliam13_2                                                                |        Owner:  khc
     Type:  defect                                                                   |       Status:  new
Milestone:                                                                           |    Component:  MSN
  Version:  2.5.1                                                                    |   Resolution:     
 Keywords:  rsi.hotmail.com Offline Message Invalid certificate authority signature  |  
-------------------------------------------------------------------------------------+

Comment(by gagern):

 I was sad to notice this bug hadn't been fixed in 2.5.2.

 New information as to how the chain building is probably supposed to work:
 According to "openssl x509 -text" output, the certs contain in the
 "Authority Information Access" section
 [http://www.oid-info.com/get/1.3.6.1.5.5.7.48.2 CA Issuers]
 descriptions specified in
 [http://tools.ietf.org/html/rfc2459#section-4.2.2.1 RFC2459 section
 4.2.2.1]
 and obsoleted first by [http://tools.ietf.org/html/rfc3280#section-4.2.2.1
 RFC3280]
 and recently [http://tools.ietf.org/html/rfc5280#section-4.2.2.1 RFC5280].

 This leads from the certificate sent by rsi.hotmail.com to
 http://www.microsoft.com/pki/mscorp/Microsoft%20Secure%20Server%20Authority(4).crt
 and from there to http://www.microsoft.com/pki/mscorp/mswww(3).crt which
 is signed by the GTE root.

 So that's probably the way things are meant to work, and maybe nss does it
 this way,
 although [https://bugzilla.mozilla.org/show_bug.cgi?id=245609 Mozilla bug
 245609]
 seems to indicate differently. Might need some more investigation.
 According to
 [http://www.google.com/codesearch?q=ca.%3FIssuers Google CodeSearch], both
 nss and gnutls mention caIssuers at some point in their sources, although
 that doesn't necessarily imply they really implement their use correctly.

 Maybe a long term goal might be to get both nss and gnutls support this
 chain building, and to either only ship the root certificate or completely
 rely on root certificates installed on the system. This might involve
 modifications to ssl libraries, and they might even outright reject
 supporting this part of the RFCs. In that case, bugging microsoft to have
 their server send the whole certificate chain would be the only clean
 solution I can see.

 As both these solutions might take quite some time, I suggest fixing the
 issue at hand by simply replacing the intermediate certificate shipped
 with Pidgin, preferrably right now, but at least in time for 2.5.3. The
 problem of how to get rid of the need for intermediate certificates could
 be dalt with afterwards, maybe in a new ticket.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6680#comment:19>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list