[Pidgin] #15349: GeoTrust Global CA not included AND level 3 verification fails

Pidgin trac at pidgin.im
Mon Oct 8 10:53:54 EDT 2012

#15349: GeoTrust Global CA not included AND level 3 verification fails
 Reporter:  charlie_fd   |      Owner:
     Type:  defect       |     Status:  new
Milestone:               |  Component:  libpurple
  Version:  2.10.6       |   Keywords:  CA bundle certificate GeoTrust
                         |  chain depth
 "!GeoTrust Global CA" root CA is not included. The fall back mechanism
 provided by !GeoTrust for "legacy" apps doesn't work either.

 From the log:

 (16:33:57) nss: subject=CN=*.eea.europa.eu,OU=Domain Control Validated -
 RapidSSL(R),OU=See www.rapidssl.com/resources/cps
 issuer=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US
 (16:33:57) nss: subject=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US
 issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 (16:33:57) nss: subject=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
 (16:33:57) certificate/x509/tls_cached: Starting verify for
 (16:33:57) certificate/x509/tls_cached: Checking for cached cert...
 (16:33:57) certificate/x509/tls_cached: ...Not in cache
 (16:33:57) certificate: Checking signature chain for
 uid=CN=*.eea.europa.eu,OU=Domain Control Validated - RapidSSL(R),OU=See
 www.rapidssl.com/resources/cps (c)12,OU=GT66534985,serialNumber=mWU-
 (16:33:57) certificate: ...Good signature by CN=RapidSSL CA,O="GeoTrust,
 (16:33:57) certificate: ...Good signature by CN=GeoTrust Global
 CA,O=GeoTrust Inc.,C=US
 (16:33:57) certificate: Chain is VALID

 The "real" chain as reported by openssl:

 openssl s_client -starttls xmpp -connect jabber.eea.europa.eu:5222
 depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
 verify return:1
 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
 verify return:1
 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
 verify return:1
 depth=0 serialNumber = mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN, OU = GT66534985,
 OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control
 Validated - RapidSSL(R), CN = *.eea.europa.eu
 verify return:1
 Certificate chain
  0 s:/serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN/OU=GT66534985/OU=See
 www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated -
    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
  1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

 I'm not a specialist but it looks to me that "nss" library recognizes the
 Geotrust Global CA as "end of chain" so it doesn't add the !Equifax signed
 certificate to the verification chain (although present in the server
 response) but pidgin fails to recognize it as a trusted CA (not in the
 bundle). By any chance some part of the code (nss) uses OS CA bundle and
 other part of the code uses application CA bundle?

Ticket URL: <https://developer.pidgin.im/ticket/15349>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list