Opened 6 years ago

Closed 2 years ago

#15506 closed defect (out of date)

SSL Alt Name Sporadic Failure

Reported by: geggam Owned by: EionRobb
Milestone: Component: unclassified
Version: 2.10.6 Keywords:
Cc:

Description (last modified by Robby)

When validating ssl certs the subjectaltname check has extra characters preventing success.

the point where pidgin breaks is here.

(14:07:44) certificate/x509/tls_cached: Also checking for a CA with DN=CN=*.12bar.net,OU=Domain Control Validated,O=*.12bar.net
(14:07:44) certificate/x509/tls_cached: No Certificate Authorities with either DN found found. I'll prompt the user, I guess.


The check should be CA with DN=*.12bar.net .... removing the CN=

***********************

Full check 
(14:07:32) util: Writing file accounts.xml to directory /home/dbecker/.purple
(14:07:32) util: Writing file /home/dbecker/.purple/accounts.xml
(14:07:32) util: Writing file blist.xml to directory /home/dbecker/.purple
(14:07:32) util: Writing file /home/dbecker/.purple/blist.xml
(14:07:33) jabber: jabber_actions: have pep: YES
(14:07:33) account: Connecting to account tester4@12bar.net/.
(14:07:33) connection: Connecting. gc = 0x7f4d4e36fcb0
(14:07:33) dnssrv: querying SRV record for 12bar.net: _xmpp-client._tcp.12bar.net
(14:07:38) util: Writing file accounts.xml to directory /home/dbecker/.purple
(14:07:38) util: Writing file /home/dbecker/.purple/accounts.xml
(14:07:38) dnssrv: found 1 SRV entries
(14:07:38) dnsquery: Performing DNS lookup for xmpp.12bar.net
(14:07:38) dns: Wait for DNS child 15333 failed: No child processes
(14:07:38) dns: Wait for DNS child 15329 failed: No child processes
(14:07:38) dns: Wait for DNS child 15330 failed: No child processes
(14:07:38) dns: Wait for DNS child 15328 failed: No child processes
(14:07:38) dns: Created new DNS child 15480, there are now 1 children.
(14:07:38) dns: Successfully sent DNS request to child 15480
(14:07:43) dns: Got response for 'xmpp.12bar.net'
(14:07:43) dnsquery: IP resolved for xmpp.12bar.net
(14:07:43) proxy: Attempting connection to 199.19.195.162
(14:07:43) proxy: Connecting to xmpp.12bar.net:5222 with no proxy
(14:07:43) proxy: Connection in progress
(14:07:43) proxy: Connecting to xmpp.12bar.net:5222.
(14:07:43) proxy: Connected to xmpp.12bar.net:5222.
(14:07:43) jabber: Sending (tester4@12bar.net): <?xml version='1.0' ?>
(14:07:43) jabber: Sending (tester4@12bar.net): <stream:stream to='12bar.net' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(14:07:44) jabber: Recv (193): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='12bar.net' id='3b22845c-d89c-4392-87c2-8edc628d4968' version='1.0' xml:lang='en'>
(14:07:44) jabber: Recv (330): <stream:features><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms><register xmlns="http://jabber.org/features/iq-register"/><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
(14:07:44) jabber: Sending (tester4@12bar.net): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(14:07:44) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(14:07:44) nss: subject=CN=*.12bar.net,OU=Domain Control Validated,O=*.12bar.net issuer=serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
(14:07:44) nss: partial certificate chain
(14:07:44) certificate/x509/tls_cached: Starting verify for 12bar.net
(14:07:44) certificate/x509/tls_cached: Checking for cached cert...
(14:07:44) certificate/x509/tls_cached: ...Not in cache
(14:07:44) certificate: Checking signature chain for uid=CN=*.12bar.net,OU=Domain Control Validated,O=*.12bar.net
(14:07:44) certificate: ...Singleton. We'll say it's valid.
(14:07:44) certificate/x509/tls_cached: Checking for a CA with DN=serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
(14:07:44) certificate/x509/tls_cached: Also checking for a CA with DN=CN=*.12bar.net,OU=Domain Control Validated,O=*.12bar.net
(14:07:44) certificate/x509/tls_cached: No Certificate Authorities with either DN found found. I'll prompt the user, I guess.

Change History (3)

comment:1 Changed 6 years ago by Robby

  • Description modified (diff)

comment:2 Changed 5 years ago by rekkanoryo

  • Owner changed from rekkanoryo to EionRobb

comment:3 Changed 2 years ago by dx

  • Resolution set to out of date
  • Status changed from new to closed

NSS SSL certificate validation has changed completely since the version this was reported for, and now it's completely up to NSS to do validation.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!