Opened 5 years ago

#15349 new defect

GeoTrust Global CA not included AND level 3 verification fails

Reported by: charlie_fd Owned by:
Milestone: Component: libpurple
Version: 2.10.6 Keywords: CA bundle certificate GeoTrust chain depth
Cc:

Description

"GeoTrust Global CA" root CA is not included. The fall back mechanism provided by GeoTrust for "legacy" apps doesn't work either.

From the log:

(16:33:57) nss: subject=CN=*.eea.europa.eu,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)12,OU=GT66534985,serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN issuer=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US
(16:33:57) nss: subject=CN=RapidSSL CA,O="GeoTrust, Inc.",C=US issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
(16:33:57) nss: subject=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
(16:33:57) certificate/x509/tls_cached: Starting verify for jabber.eea.europa.eu
(16:33:57) certificate/x509/tls_cached: Checking for cached cert...
(16:33:57) certificate/x509/tls_cached: ...Not in cache
(16:33:57) certificate: Checking signature chain for uid=CN=*.eea.europa.eu,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)12,OU=GT66534985,serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN
(16:33:57) certificate: ...Good signature by CN=RapidSSL CA,O="GeoTrust, Inc.",C=US
(16:33:57) certificate: ...Good signature by CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
(16:33:57) certificate: Chain is VALID

The "real" chain as reported by openssl:

openssl s_client -starttls xmpp -connect jabber.eea.europa.eu:5222
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN, OU = GT66534985, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *.eea.europa.eu
verify return:1
---
Certificate chain
 0 s:/serialNumber=mWU-N1qzSgduHFraoJtYBAtmlIK3G9SN/OU=GT66534985/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=*.eea.europa.eu
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I'm not a specialist but it looks to me that "nss" library recognizes the Geotrust Global CA as "end of chain" so it doesn't add the !Equifax signed certificate to the verification chain (although present in the server response) but pidgin fails to recognize it as a trusted CA (not in the bundle). By any chance some part of the code (nss) uses OS CA bundle and other part of the code uses application CA bundle?

Change History (0)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!