[Pidgin] #9360: Invalid certificate authority signature
Pidgin
trac at pidgin.im
Tue Jul 21 21:31:13 EDT 2009
#9360: Invalid certificate authority signature
-------------------------+--------------------------------------------------
Reporter: MikeyCarter | Owner:
Type: defect | Status: new
Milestone: 2.6.0 | Component: libpurple
Version: 2.5.8 | Resolution:
Keywords: SSL |
-------------------------+--------------------------------------------------
Changes (by darkrain42):
* cc: nosnilmot (added)
* status: closed => new
* resolution: fixed =>
Comment:
In looking at this some more (prompted by #4458), I'm not sure this was
actually the right solution, since it appears this option actually enables
the weak hash algorithms on all certificates (not just CAs), which IMHO,
is bad.
The chain verification is succeeding, but the step that fails is (in
x509_tls_cached_unknown_peer)
{{{ if ( !purple_certificate_signed_by(end_crt, ca_crt) ) }}}
where end_crt is from the chain returned by the server and ca_crt is
retrieved from the local pool based on end_crt's issuer_id. So, what I'm
thinking is that we can short-circuit the currently-failing check
'''iff''' end_crt == ca_crt (which means that we know the end certificate
is valid, provided we have a good equality operator), so that check above
turns in to something like
{{{ if (end_crt != ca_crt && !purple_certificate_signed_by(end_crt,
ca_crt) ) }}}.
I need to think about that a little more and figure out what to use as a
comparison operator, but `purple_certificate_get_fingerprint_sha1` may
work.
Stu, I'm CCing you because I think Redhat is already using this patch (or
something like it).
--
Ticket URL: <http://developer.pidgin.im/ticket/9360#comment:11>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list