[Pidgin] #4458: Can not verify a valid certifacate (Chain is INVALID)
Pidgin
trac at pidgin.im
Tue Jul 21 12:14:29 EDT 2009
#4458: Can not verify a valid certifacate (Chain is INVALID)
----------------------------------+-----------------------------------------
Reporter: 7bestman | Owner: darkrain42
Type: defect | Status: pending
Milestone: | Component: libpurple
Version: 2.3.1 | Resolution:
Keywords: ssl Chain is INVALID |
----------------------------------+-----------------------------------------
Changes (by darkrain42):
* owner: wehlhard => darkrain42
Comment:
Replying to [comment:14 MarkDoliner]:
> I still think it's a good idea, yes, but it's not vital. Maybe
something like, "A certificate in the certificate chain for example.com
was signed with either MD2 or MD5, which are considered to be insecure.
Please ask your server administrator to purchase a more secure
certificate."?
>
> We don't require SSL for XMPP connections by default, do we? Maybe if
"Require SSL/TLS" is unchecked then we should connect with
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 and GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5?
SSL is now the default for XMPP connections (changed in 2.6.0). It's also
not ''currently'' possible to associate a verification request (in the
GnuTLS certificate verification function) to an account, although Will has
a patch to graft that in (and I just pointed out we can "theoretically"
expand it without breaking ABI). I'm not particularly keen on adding per-
protocol behavior changes to an SSL plugin, though.
Another possibility is to allow MD5/MD2 signatures only if the certificate
with that signature is in the trusted CA store (which this one is). I'll
need to poke around the gnutls API to figure out how to do that/if it's
possible with the current certificate stuff.
--
Ticket URL: <http://developer.pidgin.im/ticket/4458#comment:16>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list