[Pidgin] #15486: pidgin/purple fails with "The certificate chain presented is invalid."

Pidgin trac at pidgin.im
Sat Mar 30 16:34:56 EDT 2013

#15486: pidgin/purple fails with "The certificate chain presented is invalid."
 Reporter:  calestyo  |       Owner:
     Type:  defect    |      Status:  new
Milestone:            |   Component:  libpurple
  Version:  2.10.6    |  Resolution:
 Keywords:            |

Comment (by peter.meier):

 So the problem is the following:

 Pidgin still has the *old* class 3 certificate from cacert.org using md5
 as signing algorithm in its source:

 $ curl -s http://hg.pidgin.im/pidgin/main/raw-file/36a1ce60ce7b/share/ca-
 certs/CAcert_Class3.pem | openssl x509 -text | grep Signature
         Signature Algorithm: md5WithRSAEncryption
     Signature Algorithm: md5WithRSAEncryption

 However, there is a new version of this certificate avaiable using sha256
 as signing algorithm:

 $ curl -s https://www.cacert.org/certs/class3.crt| openssl x509 -text |
 grep Signature        Signature Algorithm: sha256WithRSAEncryption
     Signature Algorithm: sha256WithRSAEncryption

 This is a problem, as Mozilla NSS disabled support for MD5 hash signed
 certificates in the 3.14 release and this (or newer) release is common in
 modern distributions (even RedHat Enterprise Linux 6.4 now ships a version
 that doesn't support md5 hash signed certificates anymore
 https://bugzilla.redhat.com/show_bug.cgi?id=895513 )

 So any modern distribution that should verify a certificate signed with
 the class 3 cert of cacert, will fail, especially recent signed

 You should fix this issue by updating the vendored class3 certificate
 (share/ca-certs/CAcert_Class3.pem) to the latest available one on
 https://www.cacert.org/index.php?id=3 ->

Ticket URL: <https://developer.pidgin.im/ticket/15486#comment:4>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list