Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#11753 closed defect (cantfix)

Certificate Validation Prompt for 'omega.contacts.msn.com' Server on Pidgin 2.6.6

Reported by: compengi Owned by: QuLogic
Milestone: Component: MSN
Version: 2.6.6 Keywords:
Cc:

Description

I received today a prompt on pidgin 2.6.6 for a certificate validation for omega.contacts.msn.com server. The prompt message looks as follows:


Accept certificate for omega.contacts.msn.com?

The certificate for omega.contacts.msn.com could not be validated. The certificate claims to be from "contacts.msn.com" instead. This could mean that you are not connecting to the service you believe you are.


Certificate details are such:

Common name: contacts.msn.com

Fingerprint (SHA1): b9:c2:9e:f8:92:c1:2c:ee:55:7e:c6:d5:d1:91:0c:d2:10:87:1e:aa

Activation date: Wed Dec 2 01:07:13 2009

Expiration date: Thu Dec 2 01:07:13 2010


I've exported that certificate and I'm attaching the file with this ticket.

Attachments (2)

certificate.pem (2.1 KB) - added by compengi 9 years ago.
contacts.msn.com.pem (2.2 KB) - added by acruise 9 years ago.
Current *.contacts.msn.com certificate

Download all attachments as: .zip

Change History (10)

Changed 9 years ago by compengi

comment:1 Changed 9 years ago by darkrain42

  • Component changed from unclassified to MSN
  • Owner changed from rekkanoryo to QuLogic

We don't distribute end-site certificates. You're getting the prompt because of the name mismatch. This is either a misconfiguration on MSN's side or they've changed the server name (back?).

comment:2 Changed 9 years ago by QuLogic

  • Resolution set to cantfix
  • Status changed from new to closed

This appears to be a temporary server-side thing.

comment:3 Changed 9 years ago by cgoudie

If you're looking at this bug today (November 11th 2010) You may want to look at this page: http://www.diarizing.com/pidgin-cannot-connect-to-msn-the-certificate-chain-presented-is-invalid/


The certificate for omega.contacts.msn.com could not be validated. The certificate chain presented is invalid.

If you have an error when trying to connect to MSN messenger with your pidgin today, this is the easy and quick way to fix the problem: just delete the contacts.msn.com SSL certificate.

rm ~.purple/certificates/x509/tls_peers/contacts.msn.com

This way, pidgin will download again the SSL certificate and everything will be working again.


I found that I needed to delete *.msn.com in that directory to connect.

comment:4 Changed 9 years ago by acruise

I don't know whether anything has *changed* as such, but omega.contacts.msn.com is using a three-element certificate chain, in which the L1 is a globally trusted CA (CyberTrust?), the L2 is Microsoft's own CA certificate, and the L3 (end entity cert) uses a wildcard CN. There are an awful lot of programs and libraries that don't support third- (and bigger) certificate chains properly, and a lot that don't support wildcards properly, so I don't think this really deserves to be a cantfix.

If you do openssl -connect omega.contacts.msn.com:443 -showcerts you'll see all three certificates in the chain.

comment:5 Changed 9 years ago by cgoudie

Based on the fact deleting them (forcing a redownload) resolves the issue, my guess is that the old cert expired today, and the new cert wasn't retrieved or some such. <shrug>

This is one of the first hits on google for this issue, so I thought I'd add my comments here to help those looking for a fix to the same problem.

Changed 9 years ago by acruise

Current *.contacts.msn.com certificate

comment:6 Changed 9 years ago by acruise

Oh, and replacing ~/.purple/certificates/x509/tls_peers/omega.contacts.msn.com with just the end entity certificate works fine. I had a look at the certificate that was attached previously, and it's also a third-level certificate, but it doesn't use a wildcard CN.

I've attached the current wildcard certificate as contacts.msn.com.pem.

comment:7 Changed 9 years ago by nosnilmot

This 6 month old ticket is not the same issue as is happening now. See #12906 for that.

comment:8 Changed 9 years ago by cgoudie

For whatever reason deleting the certs no longer works. In case you're here looking for a fix, you can see #12906, or you can visit http://squidsrants.blogspot.com/2010/11/pidgin-msn-and-other-protocols.html for a quick fix.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!