Opened 5 years ago

#15349 new defect

GeoTrust Global CA not included AND level 3 verification fails

Reported by: charlie_fd Owned by:
Milestone: Component: libpurple
Version: 2.10.6 Keywords: CA bundle certificate GeoTrust chain depth


"GeoTrust Global CA" root CA is not included. The fall back mechanism provided by GeoTrust for "legacy" apps doesn't work either.

From the log:

(16:33:57) nss: subject=CN=*,OU=Domain Control Validated - RapidSSL(R),OU=See (c)12,OU=GT66534985,serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN issuer=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US
(16:33:57) nss: subject=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
(16:33:57) nss: subject=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
(16:33:57) certificate/x509/tls_cached: Starting verify for
(16:33:57) certificate/x509/tls_cached: Checking for cached cert...
(16:33:57) certificate/x509/tls_cached: ...Not in cache
(16:33:57) certificate: Checking signature chain for uid=CN=*,OU=Domain Control Validated - RapidSSL(R),OU=See (c)12,OU=GT66534985,serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN
(16:33:57) certificate: ...Good signature by CN=RapidSSL CA,O="GeoTrust, Inc.",C=US
(16:33:57) certificate: ...Good signature by CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
(16:33:57) certificate: Chain is VALID

The "real" chain as reported by openssl:

openssl s_client -starttls xmpp -connect
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN, OU = GT66534985, OU = See (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *
verify return:1
Certificate chain
 0 s:/serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN/OU=GT66534985/OU=See (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=*
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I'm not a specialist but it looks to me that "nss" library recognizes the Geotrust Global CA as "end of chain" so it doesn't add the !Equifax signed certificate to the verification chain (although present in the server response) but pidgin fails to recognize it as a trusted CA (not in the bundle). By any chance some part of the code (nss) uses OS CA bundle and other part of the code uses application CA bundle?

Change History (0)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!