[Pidgin] #9264: New twitter.com SSL certificate root server unrecognized
Pidgin
trac at pidgin.im
Fri May 29 13:10:40 EDT 2009
#9264: New twitter.com SSL certificate root server unrecognized
--------------------------------------------------------+-------------------
Reporter: zxinn | Owner: lschiere
Type: enhancement | Status: closed
Milestone: | Component: unclassified
Version: 2.5.6 | Resolution: invalid
Keywords: twitter mbpurple certificate ssl microblog |
--------------------------------------------------------+-------------------
Comment(by darkrain42):
Replying to [comment:12 bazzargh]:
> However, I'd add that I consider the cert cache using filenames based on
the hostname rather than the fingerprint to be a pidgin bug. It means that
the plugins have to install a ca-cert rather than just add the appropriate
server cert into the cache, to deal with servers (like twitters) that use
multiple certs.
While I do think it's probably reasonable to want to cache more than one
certificate per host (which would likely require a per-fingerprint storage
mechanism), it's ''absolutely not'' a good reason to do so to "make it
easier" for plugins to distribute a set of specific server certificates
instead of adding the trusted roots (and intermediate CAs) as necessary.
That defeats the whole purpose of x509 trust chains and, if servers have
multiple certificates on load-balanced servers, is a silly (and incredibly
error-prone) way to ensure that the certificates for all of the servers
are trusted.
Moreover (I haven't confirmed this), I believe the trusted certificate
cache is per-user, whereas plugins like this are typically installed
system-wide.
--
Ticket URL: <http://developer.pidgin.im/ticket/9264#comment:13>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list