[Pidgin] #6680: Offline Message Error - rsi.hotmail.com
Pidgin
trac at pidgin.im
Wed Sep 10 06:37:57 EDT 2008
#6680: Offline Message Error - rsi.hotmail.com
-------------------------------------------------------------------------------------+
Reporter: aliam13_2 | Owner: khc
Type: defect | Status: new
Milestone: | Component: MSN
Version: 2.5.1 | Resolution:
Keywords: rsi.hotmail.com Offline Message Invalid certificate authority signature |
-------------------------------------------------------------------------------------+
Comment(by gagern):
The Microsoft Secure Server Authority has changed it's certificate. I just
added the new certificate, which makes things work for me again. If you
check out the Authority Key Identifier of the rsi.hotmail.com certificate
attached above and the Subject Key Identifier of the different
certificates for Microsoft Secure Server Authority, you will find that
they agree for the certificate I just uploaded:
`99:8F:A5:F7:1E:81:6F:FA:79:C2:F0:16:3F:B2:54:B1:08:68:47:55`
The certificate shipped with pidgin, on the other hand, had this Subject
Key Id:
`A7:4F:05:FB:D1:8E:41:53:37:95:CA:4B:E1:43:1F:5A:EB:4D:CD:50`
For those interested in reproducing my investigation: I did all my work
using the openssl command line tools, also available for cygwin:
1. `openssl verify -issuer_checks -verbose -CAfile /usr/share/purple/ca-
certs/Microsoft_Secure_Server_Authority.pem rsi.hotmail.com`
to see that the cert attached by bredde wouldn't match the CA shipped
with pidgin, and to get a hint at "authority and subject key identifier
mismatch" indicating a change of certificate.
2. `openssl s_client -showcerts -connect www.microsoft.com:443`
to get the whole chain of certificates, beginning with the new MSSA cert
3. `openssl x509 -noout -text -in `''CERTFILE''
to get detailed infos about certificates, e.g. the Subject and Issuer Key
Identifiers.
If switching from gnutls to nss does in fact "resolve" the issue as well,
as suggested by comments above, I wonder why nss won't complain about a
missing certificate, especially as rsi.hotmail.com doesn't send any
certificates but its own, and I wouldn't expect any generic SSL library to
include the intermediate MSSA certificate. Strange. Probably should be
investigated as well.
--
Ticket URL: <http://developer.pidgin.im/ticket/6680#comment:15>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list