[Pidgin] #15486: pidgin/purple fails with "The certificate chain presented is invalid."

Pidgin trac at pidgin.im
Mon Feb 11 04:58:18 EST 2013


#15486: pidgin/purple fails with "The certificate chain presented is invalid."
----------------------+------------------------
 Reporter:  calestyo  |       Owner:
     Type:  defect    |      Status:  new
Milestone:            |   Component:  libpurple
  Version:  2.10.6    |  Resolution:
 Keywords:            |
----------------------+------------------------

Comment (by ans):

 i'd like to confirm this bug. it affects several of our users, but we are
 currently unable to determine the cause. for example several ubuntu 10.04
 users are affected, however a fresh installation i set up did not exhibit
 the problem. it might be a side effect of another installed package. it is
 however not a configuration issue since it persists after removing
 .purple. this also affects version 2.10.3. as a workaround the leaf
 certificate can be manually imported in pidgin.

 our server is an ejabberd as well, running at imsg.ch. the affected users
 have the cacert root-cert installed and are able to correctly verify the
 same certificate using chrome which also uses libnss (s. https://imsg.ch).

 the following debug output is produced by pidgin failing to validate the
 cert:

 {{{
 (08:57:32) certificate/x509/tls_cached: Starting verify for imsg.ch
 (08:57:32) certificate/x509/tls_cached: Checking for cached cert...
 (08:57:32) certificate/x509/tls_cached: ...Not in cache
 (08:57:32) certificate: Checking signature chain for uid=CN=glei.ch
 (08:57:32) certificate: ...Good signature by CN=CAcert Class 3
 Root,OU=http://www.CAcert.org,O=CAcert Inc.
 (08:57:32) certificate: ...Bad or missing signature by
 E=support at cacert.org,CN=CA Cert Signing
 Authority,OU=http://www.cacert.org,O=Root CA
 Chain is INVALID
 (08:57:32) certificate: Failed to verify certificate for imsg.ch
 }}}

 the certificate is definitely ok, see e.g.:

 {{{
 openssl s_client -CAfile class3.crt -connect imsg.ch:5223 | grep return
 depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
 Authority, emailAddress = support at cacert.org
 verify return:1
 depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3
 Root
 verify return:1
 depth=0 CN = glei.ch
 verify return:1
     Verify return code: 0 (ok)
 }}}

 if you need more information please write so. we have now access to an
 affected installation.

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15486#comment:1>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list