[Pidgin] #15485: problems with the curernt way to specify trusted X.509 certs
Pidgin
trac at pidgin.im
Sat Jan 26 19:53:56 EST 2013
#15485: problems with the curernt way to specify trusted X.509 certs
----------------------+-----------------------
Reporter: calestyo | Owner:
Type: defect | Status: new
Milestone: | Component: libpurple
Version: 2.10.6 | Keywords:
----------------------+-----------------------
Hi.
AFAIU, purple currently takes _all_ it's trusted CA certs from
/usr/share/purple/ca-certs/ .
Now this has some goods and some bads.
Advantage:
The good thing obviously is, that you place only those root certs in,
which the well known providers (ICQ, AIM, facebook) use.
So in contrast to when simply using the system provided /etc/ssl/certs
(where a typically much more certs are in) repo, one is a bit more secure,
as one doesn't trust CAs which aren't used anyway, but could be hacked
(e.g. turktrust, diginotar, etc.).
Disadvantages:
- I intentionally wrote "well known providers" above, not protocols, cause
e.g. any non major Jabber server, will not be accepted, even though he
might use a valid certificate (valid e.g. with respect to the roots in
/etc/ssl/certs).
- The well known providers often change their certs, which leads to
authentication problems in pidgin (see e.g. the long open bug #15336).
Of course, using /etc/ssl/certs doesn't guarantee to be on the safe side,
but it's typically more likely, as this contains on most distros the
widespread use root certs.
So what would I suggest:
1) IMHO pidgin should continue to _not_ generally use /etc/ssl/certs (or
the system's SSL default cert location).
2) There should be a well documented place in each user's homedir, e.g.
~/.purple/certificates/x509/ca-certs/
where one can place files and directories into (or symlinks to them).
Any such files will be taken as trusted CA certs,... and such dirs will be
searched for CA certs/crl in the SSL style (i.e. layout and syntax as
/etc/ssl/certs)
3) The same as (2), just on a global level (/etc) where it can be set by
sysadmins).
Cheers,
Chris.
--
Ticket URL: <https://developer.pidgin.im/ticket/15485>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list