[Pidgin] #16412: NSS SSL doesn't work well with self signed certificates
Pidgin
trac at pidgin.im
Fri Oct 31 17:54:16 EDT 2014
#16412: NSS SSL doesn't work well with self signed certificates
-----------------------+------------------------
Reporter: skyserver | Owner: datallah
Type: defect | Status: new
Milestone: 2.10.11 | Component: libpurple
Version: 2.10.10 | Resolution:
Keywords: nss |
-----------------------+------------------------
Changes (by datallah):
* status: closed => new
* resolution: fixed =>
Comment:
It looks like this still happens with simple self-signed certs generated
by e.g. openfire.
{{{
(16:47:32) nss: CERT 1. CN=chat.onthebeach.co.uk [Certificate Authority]:
(16:47:32) nss: ERROR -8156: SEC_ERROR_CA_CERT_INVALID
(16:47:32) nss: ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER
(16:47:32) certificate: Failed to verify certificate for
chat.onthebeach.co.uk
}}}
A public server that this can be seen with is `chat.onthebeach.co.uk`.
Interestingly `openssl s_client -connect chat.onthebeach.co.uk:5222
-starttls xmpp -showcerts` also fails for OpenSSL 1.0.1f 6 Jan 2014 on
ubuntu 14.04 (but succeeds with OpenSSL 1.0.1e-fips 11 Feb 2013 from
Centos 6.5).
{{{
openssl version
OpenSSL 1.0.1e-fips
openssl s_client -connect chat.onthebeach.co.uk:5222 -starttls xmpp
-showcerts
CONNECTED(00000003)
depth=0 CN = chat.onthebeach.co.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = chat.onthebeach.co.uk
verify return:1
---
Certificate chain
0 s:/CN=chat.onthebeach.co.uk
i:/CN=chat.onthebeach.co.uk
-----BEGIN CERTIFICATE-----
MIIC9jCCAd6gAwIBAgIIMe/GTAMM37AwDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE
AwwVY2hhdC5vbnRoZWJlYWNoLmNvLnVrMB4XDTE0MTAzMDE3MjYzNloXDTE5MTAw
NDE3MjYzNlowIDEeMBwGA1UEAwwVY2hhdC5vbnRoZWJlYWNoLmNvLnVrMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzI1ZTlRU/jWO7pG4rzvrMjiqVqv2
TGgX/eDtdS4HN9W6NIJPsqpa2QwavR4m1rvg6VBktGRuzxRbrrpAGRnk6jtx9+8x
tVSky7TTwrg8j+CD4FGqmv/kZxE7DNPiHwyZ71FxTGazHFg54ACWHFREEw9XluFt
F8z467tPtm4DnVYuxTqzThSvK2BU90mOMS2Upikf3DrcLNl/Fe38KZVUOS6zwTrW
jnNfR73Z2N0eT5IwtpJe3uk7v4QTEbKKPI7XBeIYDpQ+pVhRD63p27ifthK8VBdm
/A29B2gElEGhk/Ao45/WhkJOoju8nKZvh8t4s7PXgbrtuEum8+aOMpBpMwIDAQAB
ozQwMjAwBgNVHREEKTAnoCUGCCsGAQUFBwgFoBkMFyouY2hhdC5vbnRoZWJlYWNo
LmNvLnVrMA0GCSqGSIb3DQEBBQUAA4IBAQBOXgJEiMsBAj0MPMiLMq5qfKcKn03I
9PiqO7jgrxppZw6sLzqfujpwKBmjASTR4TidnJr63yFv70lbqcAhgXkfhibEngov
UT24qoxA7AsLFccsCPakg4FnG4sOpABll47tV27NLcbqVYHfqC9pTsIpQ8mXXvGh
LQ3SPH9V0B16KQWUlV9+w4YiXIrMGoB6G/YGyLWImnJ8pBnFfudNhtJ16OtCrZpQ
/kM9ijn8dHh+G+qlK7dToLVsioP+1cyDU/85TOcmmBWwUqN80HRLRJInHHLumi6D
PI3MxC9DV/AtRqV24wTojGtLvPm+BXRp+DRsr2l+7EcYm4ZP76YgrAC3
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=chat.onthebeach.co.uk
issuer=/CN=chat.onthebeach.co.uk
---
No client certificate CA names sent
---
SSL handshake has read 1862 bytes and written 606 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-DES-CBC3-SHA
Session-ID:
5453F36F319F1BDF03075A0C53FC47BD5F8086EF06E7C4C70EA3EF9DBFD2575D
Session-ID-ctx:
Master-Key:
4BD78E2A68EBDE60D5C0885364B9CD4B7B93A7C7F83384FDAFC0A547DC8A40F0DD33D17AEC689D42EA37A99842D3000A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1414787952
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
}}}
It looks like the issue is that it's the root certificate in the chain,
but it's not marked as a CA via Basic Constraints, so we end up with the
`SEC_ERROR_CA_CERT_INVALID` error.
Looking at the firefox code, the right way to handle this is to suppress a
lot of these errors when dealing with a self-signed certificate. We
should warn about the self-signedness certificate, and that trumps the
rest of these.
--
Ticket URL: <https://developer.pidgin.im/ticket/16412#comment:4>
Pidgin <https://pidgin.im>
Pidgin
More information about the Tracker
mailing list