Opened 6 years ago
#15349 new defect
GeoTrust Global CA not included AND level 3 verification fails
Reported by: | charlie_fd | Owned by: | |
---|---|---|---|
Milestone: | Component: | libpurple | |
Version: | 2.10.6 | Keywords: | CA bundle certificate GeoTrust chain depth |
Cc: |
Description
"GeoTrust Global CA" root CA is not included. The fall back mechanism provided by GeoTrust for "legacy" apps doesn't work either.
From the log:
(16:33:57) nss: subject=CN=*.eea.europa.eu,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)12,OU=GT66534985,serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN issuer=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US (16:33:57) nss: subject=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US (16:33:57) nss: subject=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US (16:33:57) certificate/x509/tls_cached: Starting verify for jabber.eea.europa.eu (16:33:57) certificate/x509/tls_cached: Checking for cached cert... (16:33:57) certificate/x509/tls_cached: ...Not in cache (16:33:57) certificate: Checking signature chain for uid=CN=*.eea.europa.eu,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)12,OU=GT66534985,serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN (16:33:57) certificate: ...Good signature by CN=RapidSSL CA,O="GeoTrust, Inc.",C=US (16:33:57) certificate: ...Good signature by CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US (16:33:57) certificate: Chain is VALID
The "real" chain as reported by openssl:
openssl s_client -starttls xmpp -connect jabber.eea.europa.eu:5222 CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN, OU = GT66534985, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *.eea.europa.eu verify return:1 --- Certificate chain 0 s:/serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN/OU=GT66534985/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=*.eea.europa.eu i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
I'm not a specialist but it looks to me that "nss" library recognizes the Geotrust Global CA as "end of chain" so it doesn't add the !Equifax signed certificate to the verification chain (although present in the server response) but pidgin fails to recognize it as a trusted CA (not in the bundle). By any chance some part of the code (nss) uses OS CA bundle and other part of the code uses application CA bundle?
Note: See
TracTickets for help on using
tickets.