Opened 6 years ago

Last modified 6 years ago

#15505 new defect

jabber.org's certificate is not trusted

Reported by: igel Owned by: deryni
Milestone: Component: XMPP
Version: 2.10.6 Keywords: jabber, certificate
Cc:

Description

register.jabber.org uses a certificate issued by StartCom?. I do trust StartCom?'s root certificate and have it installed using OpenSSL in /etc/ssl/certs. Still, pidgin brings up the accept/reject box. Curl, Firefox and everything else does not complain about the certificate. I couldn't find a way to tell pidgin to trust my installed SSL certificates (which it obviously doesn't).

I am attaching the certificate in question to this bug report, but I would prefer to tell pidgin to trust my installed root certificates...

System is Gentoo Linux x64, pidgin 2.10.6, OpenSSL 1.0.1c.

Attachments (4)

certificate.pem (2.7 KB) - added by igel 6 years ago.
what_the.jpg (38.4 KB) - added by igel 6 years ago.
purple-debug.log (73.2 KB) - added by igel 6 years ago.
debug log
debug-log.tar.bz2 (6.4 KB) - added by igel 6 years ago.
debug log

Download all attachments as: .zip

Change History (17)

comment:1 Changed 49 years ago by igel

  • Status changed from pending to new

Changed 6 years ago by igel

comment:1 Changed 6 years ago by QuLogic

  • Status changed from new to pending

It does appear that Gentoo uses /etc/ssl/certs for system certificates, but Pidgin does not use OpenSSL. If you want to use your own root certificate, you need to install it so that NSS or GnuTLS can see it (depending on which option you used to build Pidgin).

comment:2 Changed 6 years ago by igel

Hey, my Pidgin is indeed compiled with GnuTLS support, and it's the OpenSSL certificates that are stored in /etc/ssl/certs, the GnuTLS certs are in /usr/share/ca-certificates. However, GnuTLS also knows the StartCom? certificate:

/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt

A quick test with GnuTLS looks okayish (no idea how to properly test that):

$ gnutls-cli --starttls register.jabber.org
Resolving 'register.jabber.org'...
Connecting to '208.68.163.219:443'...

- Simple Client Mode:

NSS should work, since firefox works. Also, my curl (which works) is built with NSS. My Pidgin appears to be built with GnuTLS, but there is a plugin called "pidgin-encryption" which is built with NSS. Versions are

  • pidgin-encryption-3.1
  • NSS-3.11
  • GnuTLS-2.12.20

Changed 6 years ago by igel

comment:3 Changed 6 years ago by igel

hu? What's up with the bugtracker? 43 years ago?? https://developer.pidgin.im/attachment/ticket/15505/what_the.jpg

comment:4 Changed 6 years ago by igel

here is an update for you guys:

First, the Pidgin build information:

Pidgin 2.10.6 (libpurple 2.10.6)
4cfe697ea3ae39a4fb3dad8e3ed1c70855901095

Build Information
  Arguments to ./configure:   '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-consoleui' '--enable-gtkui' '--enable-sm' '--enable-nls' '--enable-screensaver' '--disable-cap' '--disable-gevolution' '--disable-gtkspell' '--disable-perl' '--disable-tk' '--disable-tcl' '--disable-debug' '--enable-dbus' '--disable-meanwhile' '--disable-gstreamer' '--disable-farstream' '--disable-vv' '--disable-cyrus-sasl' '--disable-doxygen' '--disable-nm' '--disable-avahi' '--disable-idn' '--with-system-ssl-certs=/etc/ssl/certs/' '--with-dynamic-prpls=irc,jabber,oscar,yahoo,simple,msn,myspace' '--disable-mono' '--x-includes=/usr/include/X11' '--enable-nss=no' '--enable-gnutls=yes' '--with-gnutls-includes=/usr/include/gnutls' '--with-gnutls-libs=/usr/lib64' '--with-python=python2.7' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=core2 -m64 -mtune=core2 -O2 -pipe -O2' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CPPFLAGS=' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
  Print debugging messages: No
  Plugins: Enabled
  SSL: SSL support is present.

  Library Support
    Cyrus SASL: Disabled
    D-Bus: Enabled
    Evolution Addressbook: Disabled
    Gadu-Gadu library (libgadu): Internal
    GtkSpell: Disabled
    GnuTLS: Enabled
    GStreamer: Disabled
    Mono: Disabled
    NetworkManager: Disabled
    Network Security Services (NSS): Disabled
    Perl: Disabled
    Tcl: Disabled
    Tk: Disabled
    UTF-8 DNS (IDN): Disabled
    Voice and Video: Disabled
    X Session Management: Enabled
    XScreenSaver: Enabled
    Zephyr library (libzephyr): Internal
    Zephyr uses Kerberos: No

It seems as if pidgin is supposed to use gnutls.

Second, I tested a bit more with gnutls-cli:

% gnutls-cli register.jabber.org -p 443
Resolving 'register.jabber.org'...
Connecting to '208.68.163.219:443'...
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,CN=register.jabber.org,EMAIL=hostmaster@jabber.org', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', RSA key 4096 bits, signed using RSA-SHA256, activated `2012-12-16 07:02:12 UTC', expires `2013-12-17 22:54:00 UTC', SHA-1 fingerprint `c3b3918716093df7bfb0dd84c7436d2a09f7391d'
 - Certificate[1] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-10-24 20:54:17 UTC', expires `2017-10-24 20:54:17 UTC', SHA-1 fingerprint `f691fc87efb3135354225a10e127e911d1c7f8cf'
 - Certificate[2] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f'
- The hostname in the certificate matches 'register.jabber.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
% gnutls-cli  register.jabber.org -p 443 --x509cafile /usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt
Processed 1 CA certificate(s).
Resolving 'register.jabber.org'...
Connecting to '208.68.163.219:443'...
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,CN=register.jabber.org,EMAIL=hostmaster@jabber.org', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', RSA key 4096 bits, signed using RSA-SHA256, activated `2012-12-16 07:02:12 UTC', expires `2013-12-17 22:54:00 UTC', SHA-1 fingerprint `c3b3918716093df7bfb0dd84c7436d2a09f7391d'
 - Certificate[1] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-10-24 20:54:17 UTC', expires `2017-10-24 20:54:17 UTC', SHA-1 fingerprint `f691fc87efb3135354225a10e127e911d1c7f8cf'
 - Certificate[2] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f'
- The hostname in the certificate matches 'register.jabber.org'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

So, in conclusion, it IS possible for gnutls to verify register.jabber.org's certificate, however, it seems to not be aware of its root certificates for some reason... Any ideas why?

comment:5 Changed 6 years ago by datallah

Based on your ./configure arguments (--with-system-ssl-certs=/etc/ssl/certs/), Pidgin is configured to use the SSL certificates in /etc/ssl/certs/.

Is the StartCom CA there on your system?

comment:6 Changed 6 years ago by igel

yes, it's just a link to the one I used to test gnutls-cli with:

% ls -l /etc/ssl/certs/StartCom_Certification_Authority.pem 
lrwxrwxrwx 1 root root 71 Feb  8 17:06 /etc/ssl/certs/StartCom_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt

comment:7 Changed 6 years ago by datallah

  • Status changed from new to pending

Please follow the instructions to get a debug log and attach it to this ticket.

Changed 6 years ago by igel

debug log

Changed 6 years ago by igel

debug log

comment:8 follow-up: Changed 6 years ago by igel

  • Status changed from pending to new

Sorry, I cannot add the file to this ticket, I keep getting this:

 Trac detected an internal error:

NameError: global name 'now' is not defined

There was an internal error in Trac. It is recommended that you notify your local Trac administrator with the information needed to reproduce the issue.

To that end, you could a ticket.

The action that triggered the error was:

POST: /attachment/ticket/15505/

TracGuide — The Trac User and Administration Guide 

and trying to make a ticket about that results in "URI too long"...

People, what _is_ up with your issue tracker? (see the 43years thing I posted earlier in this ticket)...

Anyways, the important bits are these I think:

(15:20:10) dnssrv: querying SRV record for jabber.org: _xmpp-client._tcp.jabber.org
(15:20:10) dnssrv: found 2 SRV entries
(15:20:10) dnsquery: Performing DNS lookup for hermes.jabber.org

so my tests with register.jabber.org seem irrelevant, as the handshake is performed with hermes.jabber.org... Going on:

[...]
(15:20:20) gnutls: Starting handshake with jabber.org
(15:20:28) gnutls/x509: Certificate 2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org is issued by C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA, which does not match C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority.
(15:20:28) gnutls: Dropping further peer certificates because the chain is broken!
(15:20:28) gnutls: Handshake complete
(15:20:28) gnutls/x509: Key print: 11:c2:3d:87:3f:95:f8:13:f8:ca:81:33:71:36:a7:00:e0:01:95:ed
(15:20:28) gnutls: Peer provided 3 certs
(15:20:28) gnutls: Lvl 0 SHA1 fingerprint: 11:c2:3d:87:3f:95:f8:13:f8:ca:81:33:71:36:a7:00:e0:01:95:ed
(15:20:28) gnutls: Serial: 01:43:76
(15:20:28) gnutls: Cert DN: 2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org
(15:20:28) gnutls: Cert Issuer DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA
(15:20:28) gnutls: Lvl 1 SHA1 fingerprint: 3e:2b:f7:f2:03:1b:96:f3:8c:e6:c4:d8:a8:5d:3e:2d:58:47:6a:0f
(15:20:28) gnutls: Serial: 01
(15:20:28) gnutls: Cert DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
(15:20:28) gnutls: Cert Issuer DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
(15:20:28) gnutls: Lvl 2 SHA1 fingerprint: a1:ac:e4:04:6b:6e:33:22:32:b8:7e:cf:b6:f3:7a:07:63:72:01:47
(15:20:28) gnutls: Serial: 1a
(15:20:28) gnutls: Cert DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA
(15:20:28) gnutls: Cert Issuer DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
(15:20:28) gnutls/x509: Certificate 2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org is issued by C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA, which does not match C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority.
(15:20:28) gnutls: Dropping further peer certificates because the chain is broken!
(15:20:28) certificate/x509/tls_cached: Starting verify for jabber.org
(15:20:28) certificate/x509/tls_cached: Checking for cached cert...
(15:20:28) certificate/x509/tls_cached: ...Not in cache
(15:20:28) gnutls/x509: Certificate 2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org is issued by C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA, which does not match 2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org.
(15:20:28) certificate: Checking signature chain for uid=2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org
(15:20:28) certificate: ...Singleton. We'll say it's valid.
(15:20:28) certificate/x509/tls_cached: Checking for a CA with DN=C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA
(15:20:28) certificate/x509/tls_cached: Also checking for a CA with DN=2.5.4.13=#131075346255714d65634269705257455a79,C=US,ST=Colorado,L=Parker,O=J Peter Saint-Andre,CN=conference.jabber.org,EMAIL=stpeter@jabber.org
(15:20:28) certificate/x509/tls_cached: No Certificate Authorities with either DN found found. I'll prompt the user, I guess.

comment:9 in reply to: ↑ 8 Changed 6 years ago by datallah

Replying to igel:

Sorry, I cannot add the file to this ticket, I keep getting this:

<SNIP>

That issue was a bug in a Trac plugin that has now been fixed(#15548).

and trying to make a ticket about that results in "URI too long"...

That's caused by your browser not being able to handle a very long URI - it's an issue with Trac, I may report it upstream, but it worked fine for me in Chrome.

People, what _is_ up with your issue tracker? (see the 43years thing I posted earlier in this ticket)...

That was also an issue with the same plugin that has been fixed too - a couple things weren't fully working right when it was updated to work with the latest version of Trac.

comment:10 Changed 6 years ago by igel

So, in hope that it would be an error in gnutls that might have been fixed, I updated gnutls from 2.12.23 to 3.1.9 and ended up with the following new debug log:

(11:16:23) gnutls: Starting handshake with jabber.org
(11:16:24) gnutls/x509: Failed to get Distinguished Name
(11:16:24) gnutls/x509: Certificate (null) is issued by C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA, which does not match C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority.
(11:16:24) gnutls: Dropping further peer certificates because the chain is broken!
(11:16:24) gnutls: Handshake complete
(11:16:24) gnutls/x509: Key print: 11:c2:3d:87:3f:95:f8:13:f8:ca:81:33:71:36:a7:00:e0:01:95:ed
(11:16:24) gnutls: Peer provided 3 certs
(11:16:24) gnutls: Lvl 0 SHA1 fingerprint: 11:c2:3d:87:3f:95:f8:13:f8:ca:81:33:71:36:a7:00:e0:01:95:ed
(11:16:24) gnutls: Serial: 01:43:76
(11:16:24) gnutls: Cert DN: 
(11:16:24) gnutls: Cert Issuer DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA
(11:16:24) gnutls: Lvl 1 SHA1 fingerprint: 3e:2b:f7:f2:03:1b:96:f3:8c:e6:c4:d8:a8:5d:3e:2d:58:47:6a:0f
(11:16:24) gnutls: Serial: 01
(11:16:24) gnutls: Cert DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
(11:16:24) gnutls: Cert Issuer DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
(11:16:24) gnutls: Lvl 2 SHA1 fingerprint: a1:ac:e4:04:6b:6e:33:22:32:b8:7e:cf:b6:f3:7a:07:63:72:01:47
(11:16:24) gnutls: Serial: 1a
(11:16:24) gnutls: Cert DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA
(11:16:24) gnutls: Cert Issuer DN: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
(11:16:24) gnutls/x509: Failed to get Distinguished Name
(11:16:24) gnutls/x509: Certificate (null) is issued by C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA, which does not match C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority.
(11:16:24) gnutls: Dropping further peer certificates because the chain is broken!

Command-line testing yielded the following (jabber.org turned out to use STARTTLS):

% gnutls-cli -V jabber.org -p 5222 --starttls
Processed 165 CA certificate(s).
Resolving 'jabber.org'...
Connecting to '208.68.163.220:5222'...

- Simple Client Mode:

*** Starting TLS handshake
*** Fatal error: The operation timed out

comment:11 Changed 6 years ago by datallah

It looks like the issue is that jabber.org is sending an out-of-order cert chain:

openssl s_client -connect jabber.org:5222 -starttls xmpp

CONNECTED(00000004)
---
Certificate chain
 0 s:/description=u4bUqMecBipRWEZy/C=US/ST=Colorado/L=Parker/O=J Peter Saint-Andre/CN=conference.jabber.org/emailAddress=stpeter@jabber.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

The Certificate chain ordering should be 0->2->1 and it looks like gnutls is bailing because of that.

The libpurple code to validate certificates can handle this situation and connecting works fine with NSS.

comment:12 Changed 6 years ago by datallah

Actually, it looks like it's the libpurple gnutls code that's giving up when the out-of-order certificate is encountered.

That check is probably unnecessary because the chain is going to be validated subsequently in the core libpurple code (purple_certificate_verify).

It does look like it was added intentionally though: https://hg.pidgin.im/pidgin/main/rev/757baa7d408f

Last edited 6 years ago by datallah (previous) (diff)
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!