[Pidgin] #16835: Root certificate requests

Pidgin trac at pidgin.im
Sat Mar 26 04:03:25 EDT 2016

#16835: Root certificate requests
 Reporter:  dx       |       Owner:
     Type:  defect   |      Status:  new
Milestone:           |   Component:  libpurple
  Version:  2.10.11  |  Resolution:
 Keywords:           |

Comment (by piotrjurkiewicz):

 Few days ago '''jabber.org''' free XMPP service switched to a new
 certificate, which cannot be verified by current Windows version of

 The new certificate is signed by "Let's Encrypt Authority X1" certificate,
 which in turn is signed by "DST Root CA X3".

 Windows Pidgin installation does not contain "DST Root CA X3", so cannot
 verify the new jabber.org certificate.

 Lack of this particular root CA was already reported in #16805 and is
 aggregated in the list in this bug report.

 However, I think that adding more and more new root certificates to Pidgin
 Windows distribution is not a solution here -- such requests will repeat
 over and over. Pidgin on Windows should start using system certificate
 store, similarly as it does on other operating systems. Windows system
 root certificates are updated by Windows Update mechanism, what can ensure
 quick removal of compromised root certs and addition of new certs.
 Moreover, most entities have security policies which require regular WU
 updates, but they not have similar policies requiring regular utility apps
 updates. Finally, now Windows user must trust Pidgin Windows bundle
 packager and provider (Sourceforge). It would be better if he would have
 to trust just Microsoft (as he must trust it already).

 In case of this particular certificate, switching to system cert store
 would solve the problem -- "DST Root CA X3" is a trusted Windows root.

Ticket URL: <https://developer.pidgin.im/ticket/16835#comment:8>
Pidgin <https://pidgin.im>

More information about the Tracker mailing list