[Pidgin] #15505: jabber.org's certificate is not trusted

Pidgin trac at pidgin.im
Thu Mar 7 07:35:24 EST 2013 

#15505: jabber.org's certificate is not trusted
---------------------------------+---------------------
 Reporter:  igel                 |       Owner:  deryni
     Type:  defect               |      Status:  new
Milestone:                       |   Component:  XMPP
  Version:  2.10.6               |  Resolution:
 Keywords:  jabber, certificate  |
---------------------------------+---------------------

Comment (by igel):

 here is an update for you guys:

 First, the Pidgin build information:

 {{{
 Pidgin 2.10.6 (libpurple 2.10.6)
 4cfe697ea3ae39a4fb3dad8e3ed1c70855901095

 Build Information
   Arguments to ./configure:   '--prefix=/usr' '--build=x86_64-pc-linux-
 gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--
 infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--
 localstatedir=/var/lib' '--libdir=/usr/lib64' '--disable-dependency-
 tracking' '--disable-silent-rules' '--enable-consoleui' '--enable-gtkui'
 '--enable-sm' '--enable-nls' '--enable-screensaver' '--disable-cap'
 '--disable-gevolution' '--disable-gtkspell' '--disable-perl' '--disable-
 tk' '--disable-tcl' '--disable-debug' '--enable-dbus' '--disable-
 meanwhile' '--disable-gstreamer' '--disable-farstream' '--disable-vv'
 '--disable-cyrus-sasl' '--disable-doxygen' '--disable-nm' '--disable-
 avahi' '--disable-idn' '--with-system-ssl-certs=/etc/ssl/certs/' '--with-
 dynamic-prpls=irc,jabber,oscar,yahoo,simple,msn,myspace' '--disable-mono'
 '--x-includes=/usr/include/X11' '--enable-nss=no' '--enable-gnutls=yes'
 '--with-gnutls-includes=/usr/include/gnutls' '--with-gnutls-
 libs=/usr/lib64' '--with-python=python2.7' 'build_alias=x86_64-pc-linux-
 gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=core2 -m64
 -mtune=core2 -O2 -pipe -O2' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CPPFLAGS='
 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
   Print debugging messages: No
   Plugins: Enabled
   SSL: SSL support is present.

   Library Support
     Cyrus SASL: Disabled
     D-Bus: Enabled
     Evolution Addressbook: Disabled
     Gadu-Gadu library (libgadu): Internal
     GtkSpell: Disabled
     GnuTLS: Enabled
     GStreamer: Disabled
     Mono: Disabled
     NetworkManager: Disabled
     Network Security Services (NSS): Disabled
     Perl: Disabled
     Tcl: Disabled
     Tk: Disabled
     UTF-8 DNS (IDN): Disabled
     Voice and Video: Disabled
     X Session Management: Enabled
     XScreenSaver: Enabled
     Zephyr library (libzephyr): Internal
     Zephyr uses Kerberos: No

 }}}
 It seems as if pidgin is supposed to use gnutls.


 Second, I tested a bit more with gnutls-cli:

 {{{
 % gnutls-cli register.jabber.org -p 443
 Resolving 'register.jabber.org'...
 Connecting to '208.68.163.219:443'...
 - Certificate type: X.509
  - Got a certificate list of 3 certificates.
  - Certificate[0] info:
   - subject `C=US,CN=register.jabber.org,EMAIL=hostmaster at jabber.org',
 issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
 Signing,CN=StartCom Class 1 Primary Intermediate Server CA', RSA key 4096
 bits, signed using RSA-SHA256, activated `2012-12-16 07:02:12 UTC',
 expires `2013-12-17 22:54:00 UTC', SHA-1 fingerprint
 `c3b3918716093df7bfb0dd84c7436d2a09f7391d'
  - Certificate[1] info:
   - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
 Signing,CN=StartCom Class 1 Primary Intermediate Server CA', issuer
 `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom
 Certification Authority', RSA key 2048 bits, signed using RSA-SHA1,
 activated `2007-10-24 20:54:17 UTC', expires `2017-10-24 20:54:17 UTC',
 SHA-1 fingerprint `f691fc87efb3135354225a10e127e911d1c7f8cf'
  - Certificate[2] info:
   - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
 Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom
 Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification
 Authority', RSA key 4096 bits, signed using RSA-SHA1, activated
 `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1
 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f'
 - The hostname in the certificate matches 'register.jabber.org'.
 - Peer's certificate issuer is unknown
 - Peer's certificate is NOT trusted
 - Version: TLS1.0
 - Key Exchange: RSA
 - Cipher: AES-128-CBC
 - MAC: SHA1
 - Compression: NULL
 - Handshake was completed
 }}}



 {{{
 % gnutls-cli  register.jabber.org -p 443 --x509cafile /usr/share/ca-
 certificates/mozilla/StartCom_Certification_Authority.crt
 Processed 1 CA certificate(s).
 Resolving 'register.jabber.org'...
 Connecting to '208.68.163.219:443'...
 - Certificate type: X.509
  - Got a certificate list of 3 certificates.
  - Certificate[0] info:
   - subject `C=US,CN=register.jabber.org,EMAIL=hostmaster at jabber.org',
 issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
 Signing,CN=StartCom Class 1 Primary Intermediate Server CA', RSA key 4096
 bits, signed using RSA-SHA256, activated `2012-12-16 07:02:12 UTC',
 expires `2013-12-17 22:54:00 UTC', SHA-1 fingerprint
 `c3b3918716093df7bfb0dd84c7436d2a09f7391d'
  - Certificate[1] info:
   - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
 Signing,CN=StartCom Class 1 Primary Intermediate Server CA', issuer
 `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom
 Certification Authority', RSA key 2048 bits, signed using RSA-SHA1,
 activated `2007-10-24 20:54:17 UTC', expires `2017-10-24 20:54:17 UTC',
 SHA-1 fingerprint `f691fc87efb3135354225a10e127e911d1c7f8cf'
  - Certificate[2] info:
   - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
 Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom
 Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification
 Authority', RSA key 4096 bits, signed using RSA-SHA1, activated
 `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1
 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f'
 - The hostname in the certificate matches 'register.jabber.org'.
 - Peer's certificate is trusted
 - Version: TLS1.0
 - Key Exchange: RSA
 - Cipher: AES-128-CBC
 - MAC: SHA1
 - Compression: NULL
 - Handshake was completed
 }}}

 So, in conclusion, it '''IS''' possible for gnutls to verify
 register.jabber.org's certificate, however, it seems to not be aware of
 its root certificates for some reason...
 Any ideas why?

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15505#comment:4>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list