[Pidgin] #6680: Offline Message Error - rsi.hotmail.com

Pidgin trac at pidgin.im
Wed Sep 10 06:37:57 EDT 2008 

#6680: Offline Message Error - rsi.hotmail.com
-------------------------------------------------------------------------------------+
 Reporter:  aliam13_2                                                                |        Owner:  khc
     Type:  defect                                                                   |       Status:  new
Milestone:                                                                           |    Component:  MSN
  Version:  2.5.1                                                                    |   Resolution:     
 Keywords:  rsi.hotmail.com Offline Message Invalid certificate authority signature  |  
-------------------------------------------------------------------------------------+

Comment(by gagern):

 The Microsoft Secure Server Authority has changed it's certificate. I just
 added the new certificate, which makes things work for me again. If you
 check out the Authority Key Identifier of the rsi.hotmail.com certificate
 attached above and the Subject Key Identifier of the different
 certificates for Microsoft Secure Server Authority, you will find that
 they agree for the certificate I just uploaded:

 `99:8F:A5:F7:1E:81:6F:FA:79:C2:F0:16:3F:B2:54:B1:08:68:47:55`

 The certificate shipped with pidgin, on the other hand, had this Subject
 Key Id:

 `A7:4F:05:FB:D1:8E:41:53:37:95:CA:4B:E1:43:1F:5A:EB:4D:CD:50`

 For those interested in reproducing my investigation: I did all my work
 using the openssl command line tools, also available for cygwin:
  1. `openssl verify -issuer_checks -verbose -CAfile /usr/share/purple/ca-
 certs/Microsoft_Secure_Server_Authority.pem rsi.hotmail.com`

  to see that the cert attached by bredde wouldn't match the CA shipped
 with pidgin, and to get a hint at "authority and subject key identifier
 mismatch" indicating a change of certificate.
  2. `openssl s_client -showcerts -connect www.microsoft.com:443`

  to get the whole chain of certificates, beginning with the new MSSA cert
  3. `openssl x509 -noout -text -in `''CERTFILE''

  to get detailed infos about certificates, e.g. the Subject and Issuer Key
 Identifiers.

 If switching from gnutls to nss does in fact "resolve" the issue as well,
 as suggested by comments above, I wonder why nss won't complain about a
 missing certificate, especially as rsi.hotmail.com doesn't send any
 certificates but its own, and I wouldn't expect any generic SSL library to
 include the intermediate MSSA certificate. Strange. Probably should be
 investigated as well.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6680#comment:15>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list