Re: problems with MSN certificate chain
hello, please advise re: security certificate error warning as follows: AOL, my provider downloaded software 'fixes' due to 100's of errors, particularly server errors. AOL.Download package contained. Bing, msm, as well as Internet explorer update from 9.7 to 10. Pute is humming and vibrating, including script hesitation/ and or missing scripts. The certificate states (in order) from bottom to top) . 1/ Bing 2/ MSIT 3/ Microsoft Internet Authority 4/ Baltimore Trust Authority. Error warning was issued when the certificate pop up appeared with a (yellow ?). it continued to warn that the security certificate was 'Invalid' or Does not match the name of the site. also: the webpages will not display since aol downloaded their software. Originally, IE would not display. ' Cannot display this page ' Navigation is always cancelled stating it ' Cannot resolve address ' which was cancelled by Bing which is connected with msn and IE. NOTES also stated (with a yellow ? that was highlighted and next to: Basic Constraints Subject Type= CA followed with: ' The Path Length Constraints is 0(also highlighted with a warning containing ' ? ' MSIT Machiine authiority CA 2 Ensures Identity of Remote Access. It was noted as an ' offline signing.' It is noted the certificate is o.k. / dates are valid I use the wizard for all my certificates , but only after I check them. This particular cert pops up continuosly. Thank-you for your assistance, Ann ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Matthias Apitz wrote: El día Friday, January 18, 2013 a las 05:23:30PM +, David Woolley escribió: David Woolley wrote: To the extent that that is the problem, simply replacing the .pem file with a current one, should sort the problem. I don't know if you will The server certificates don't seem to include the full certificate chain, so I think you will need to install the pem file for MSIT Machine Authority CA-2. Doing so may be more important than correcting the expired certificate. (I'm wondering if Pidgin is ignoring expiry dates.) The immediate signer of an earlier certificate was Microsoft Secure Server Authority, which is known to Pidgin, but also expired in February 2011. There is a ticket at https://developer.pidgin.im/ticket/15468 and I have copied the certificate Baltimore_CyberTrust_Root.pem which is attached there on my FreeBSD system to /usr/local/share/purple/ca-certs/ and all is fine again (until March 15, of course). I was just going to post that link! I guess that MSN is sending the whole certificate chain, even though Pidgin isn't storing it, so Pidgin is able to track back to the overall root. The issue report says this is scheduled for Pidgin 2.10.7. There are still a lot of expired certificates. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
David Woolley wrote: There are still a lot of expired certificates. A lot turns out to be two, the two that I sampled, both MSN related intermediate ones: Microsoft_Internet_Authority.pem: Not After : Feb 19 18:24:53 2011 GMT Microsoft_Secure_Server_Authority.pem: Not After : Feb 19 18:24:53 2011 GMT I may raise a bug report, but first I have to find out if I ever registered, and if so, what user name I used, or register again, so if someone has an account and can get in first, I'd appreciate it. for i in *.pem; do echo $i: ; openssl x509 -text -in $i | grep After; done -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
El día Saturday, January 19, 2013 a las 12:43:00PM +, David Woolley escribió: David Woolley wrote: There are still a lot of expired certificates. A lot turns out to be two, the two that I sampled, both MSN related intermediate ones: Microsoft_Internet_Authority.pem: Not After : Feb 19 18:24:53 2011 GMT Microsoft_Secure_Server_Authority.pem: Not After : Feb 19 18:24:53 2011 GMT I may raise a bug report, but first I have to find out if I ever registered, and if so, what user name I used, or register again, so if someone has an account and can get in first, I'd appreciate it. for i in *.pem; do echo $i: ; openssl x509 -text -in $i | grep After; done I have in addition in /usr/local/share/purple/ca-certs: Verisign_RSA_Secure_Server_CA.pem: Not After : Jan 7 23:59:59 2010 GMT and have an account at https://developer.pidgin.im/ Do you want me to file a report there? matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Matthias Apitz wrote: Since today morning I can't connect to MSN anymore; it says that the certificates can't be validated; This is the second report to the list. I tried using a Windows Pidgin (probably a little dated). This also produces a certificate warning, but I imagine most Windows users would just select the option to ignore the problem. Looking at the certificate, I think the problem is that the certificate is for contacts.msn.com, but the server is local-bay.contacts.msn.com. An earlier certificate for a server in the contacts.msn.com domain (omega.contacts.msn.com) seems to be a wild card certificate (Subject: *.contacts.msn.com). My guess is that someone in Microsoft forgot the *. when creating the certificate. I guess a work round for this that treated all MSN certificates as wild card, wouldn't compromise security too much, but I suspect the amount of work involved is disproportionate, given that the MSN service is in lame duck mode. Easier work rounds are likely to compromise security too much. I'm not sure how Pidgin handles certificate chains on *nix, as there is no standard place for trusted certificates, but the certificate chain is: Baltimore Cyber Trust Root Microsoft Internet Authority MSIT Machine Authority CA-2 contacts.msn.com. I'm concerned about the security of the real Messenger application if it is not picking up on this error. Note that I am in a weakly firewalled environment, so all possible options for accessing the servers are open. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
David Woolley wrote: I tried using a Windows Pidgin (probably a little dated). This also 2.10.3, so not that dated. produces a certificate warning, but I imagine most Windows users would just select the option to ignore the problem. Looking at the certificate, I think the problem is that the certificate is for contacts.msn.com, but the server is local-bay.contacts.msn.com. An earlier certificate for a server in the contacts.msn.com domain (omega.contacts.msn.com) seems to be a wild card certificate (Subject: *.contacts.msn.com). Although the lack of wild card may be a problem, based on off list information from Matthias, it looks like Pidgin doesn't use the OS root certificates, even on Windows. In my case, the intermediate certificate for Microsoft Internet Authority has expired. My guess is that Pidgin only checks the chain when it sees a new certificate, so an out of date certificate may not show up immediately. To the extent that that is the problem, simply replacing the .pem file with a current one, should sort the problem. I don't know if you will then get an error because of the wild card problem. The safest way to do this is probably to extract the current certificate from a web browser. Simply publishing the certificate on the internet is not safe, as most people, particular on non-Windows systems, will not be able to validate it properly against the Baltimore Cyber Trust one. If exporting from Windows, you probably need the base 64 option when doing copy to file. As I'm not actively using Pidgin for MSN, I don't want to download the latest Pidgin in peak time, but if anyone else could check the expiry date on the certificate, it would be useful. On Windows it is in \program files\pidgin\ca-certs. You will need to copy it to a .cer name before you can launch the Windows certificate viewer. According to Matthias, on *nix, it is under /usr/local/share/purple/ca-certs. You will probably need to use OpenSSL to view the details. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
David Woolley spake unto us the following wisdom: Looking at the certificate, I think the problem is that the certificate is for contacts.msn.com, but the server is local-bay.contacts.msn.com. An earlier certificate for a server in the contacts.msn.com domain (omega.contacts.msn.com) seems to be a wild card certificate (Subject: *.contacts.msn.com). Although the lack of wild card may be a problem, based on off list information from Matthias, it looks like Pidgin doesn't use the OS root certificates, even on Windows. Pidgin doesn't use the OS root certificates *only* on Windows. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
As it is, I've noticed this MSN popup the last few days, but today I haven't been prompted with it, so maybe the issue is already resolved on MSN's side? Ethan Blanton wrote: David Woolley spake unto us the following wisdom: Looking at the certificate, I think the problem is that the certificate is for contacts.msn.com, but the server is local-bay.contacts.msn.com. An earlier certificate for a server in the contacts.msn.com domain (omega.contacts.msn.com) seems to be a wild card certificate (Subject: *.contacts.msn.com). Although the lack of wild card may be a problem, based on off list information from Matthias, it looks like Pidgin doesn't use the OS root certificates, even on Windows. Pidgin doesn't use the OS root certificates *only* on Windows. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Ethan Blanton wrote: Pidgin doesn't use the OS root certificates *only* on Windows. At least some Linux distributions don't have an OS level certificate store; each application maintains its own set of root certificates. On the other hand, applications like Firefox, which would use their own store on Linux use the system one on Windows. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
El día Friday, January 18, 2013 a las 08:52:16AM -0500, Ethan Blanton escribió: David Woolley spake unto us the following wisdom: Looking at the certificate, I think the problem is that the certificate is for contacts.msn.com, but the server is local-bay.contacts.msn.com. An earlier certificate for a server in the contacts.msn.com domain (omega.contacts.msn.com) seems to be a wild card certificate (Subject: *.contacts.msn.com). Although the lack of wild card may be a problem, based on off list information from Matthias, it looks like Pidgin doesn't use the OS root certificates, even on Windows. Pidgin doesn't use the OS root certificates *only* on Windows. Hi Ethan, I'm not a native English and do not understand your phrase; could you please explain what you say; thanks matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Matthias Apitz spake unto us the following wisdom: Pidgin doesn't use the OS root certificates *only* on Windows. I'm not a native English and do not understand your phrase; could you please explain what you say; thanks On non-Windows systems, there is often a certificate store that Pidgin can use. This includes all of the major Linux distributions. Pidgin packages can be configured to use this store, or they can be configured to use their internal certificates, it is up to the package creator. On Windows, we don't use the system store. I don't know why not, I assume it's painful, probably because of poor OS design and implementation. Ethan signature.asc Description: Digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
the SHA1 of the popup certificate for local-bay.contacts.msn.com i am getting is: f6:56:e3:29:84:86:8b:6b:38:fd:e4:aa:70:1a:00:4a:33:4d:ba:04 just would like to confirm it is valid before accept. -- []s Fosforo - Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando meu machado. -Abraham Lincoln - On Fri, Jan 18, 2013 at 1:37 PM, Ethan Blanton e...@pidgin.im wrote: Matthias Apitz spake unto us the following wisdom: Pidgin doesn't use the OS root certificates *only* on Windows. I'm not a native English and do not understand your phrase; could you please explain what you say; thanks On non-Windows systems, there is often a certificate store that Pidgin can use. This includes all of the major Linux distributions. Pidgin packages can be configured to use this store, or they can be configured to use their internal certificates, it is up to the package creator. On Windows, we don't use the system store. I don't know why not, I assume it's painful, probably because of poor OS design and implementation. Ethan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBUPlsT/8fixZ3H8crAQgmkQf+IBGjCgvRXWgh46sCbhOZEYd+b9H3I/Nv FiYKWe0jnjZ1dqp+VRtsbiv/CRsy5flixRn5AtOvCHPdWXuR507WozuorSTHAGMS xkbKirC086UuVW/L/vGWAopuk5L/jeURlAGQAT5pE+5rvKPKRSnC8NdhpcBADYpw 3rj59pwWyack7JHhtnjJf9HdIHjOvjTlm7SiBgBnpGxsmZX/cZdsOGVtcKBoGq6H 04yJEhtphZw324OdK0hI5cbLk5wh+rdEhD6pC2jnYmTFQgOU//g778DWllhBt5iJ tVjCZ7pR07TJIrxOk6/vKstO/1Jk1R3/pH1NCBiSagTS4elC6dk52A== =GbMa -END PGP SIGNATURE- ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Ethan Blanton wrote: On Windows, we don't use the system store. I don't know why not, I assume it's painful, probably because of poor OS design and implementation. Probably because one would have to use all of the Windows public key infrastructure, instead of the open source implementation. The non-Windows ones are probably designed for use with OpenSSL. In Matthias' case, he ran a system call trace, and Pidgin is using /usr/local/share/purple/ca-certs, which is clearly a private store in Pidgin. This is on FreeBSD. The Microsoft Internet Authority certificate in 2.10.3 expired in February 2011. My Windows copy was installed in March 2012 and would have been current, then. It looks like the Microsoft Internet Authority certificate in the source tarball for 2.10.6 is also expired (on February 19th 2011), even though the extracted file is dated 2012-07-01. As that is the current version, there is definitely a *problem* with Pidgin on any system using the certificates it provides. (As it looks like Pidgin caches the server certificates, I suspect the problem only shows up when people use a server they weren't previously using, or which, itself, has expired. On the other hand, it should not be using a certificate that is past the lowest expiry date of any certificate on its chain.) -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Fosforo wrote: the SHA1 of the popup certificate for local-bay.contacts.msn.com i am getting is: f6:56:e3:29:84:86:8b:6b:38:fd:e4:aa:70:1a:00:4a:33:4d:ba:04 just would like to confirm it is valid before accept. Unfortunately I deleted it, and didn't write down the OpenSSL fingerprint. The copy I got, had a valid certificate chain using the Windows certificate tool. Does Pidgin store it, even if you reject it? If so, copy it to Windows, if you have access, then rename it as .cer and launch it. It will produce the Windows install certificate dialogue, from where you can check the certificate chain. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
David Woolley wrote: To the extent that that is the problem, simply replacing the .pem file with a current one, should sort the problem. I don't know if you will The server certificates don't seem to include the full certificate chain, so I think you will need to install the pem file for MSIT Machine Authority CA-2. Doing so may be more important than correcting the expired certificate. (I'm wondering if Pidgin is ignoring expiry dates.) The immediate signer of an earlier certificate was Microsoft Secure Server Authority, which is known to Pidgin, but also expired in February 2011. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
El día Friday, January 18, 2013 a las 04:34:03PM +, David Woolley escribió: Probably because one would have to use all of the Windows public key infrastructure, instead of the open source implementation. The non-Windows ones are probably designed for use with OpenSSL. In Matthias' case, he ran a system call trace, and Pidgin is using /usr/local/share/purple/ca-certs, which is clearly a private store in Pidgin. This is on FreeBSD. Note: the directory /usr/local/share/purple/ca-certs is not writeable by normal users, it is owned by 'root'; i.e. the files there have been stored when I compiled(!) and installed pidgin in December 2011 matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: problems with MSN certificate chain
Matthias Apitz wrote: El día Friday, January 18, 2013 a las 04:34:03PM +, David Woolley escribió: Probably because one would have to use all of the Windows public key infrastructure, instead of the open source implementation. The non-Windows ones are probably designed for use with OpenSSL. In Matthias' case, he ran a system call trace, and Pidgin is using /usr/local/share/purple/ca-certs, which is clearly a private store in Pidgin. This is on FreeBSD. Note: the directory /usr/local/share/purple/ca-certs is not writeable by normal users, it is owned by 'root'; i.e. the files there have been stored when I compiled(!) and installed pidgin in December 2011 These are not files that should be updated quietly as they are critical to the security of encrypted IM services. As they are private to Pidgin, they can only safely be updated by installing a later version of Pidgin, or by explicitly placing them there yourself. However, even the latest version has long dead certificates. I would guess that, on a system with shared root certificates, they would be updated by the standard package update procedure. In fact, as I think I noted off list, on Windows, for applications using the Windows certificate store, updates aren't actually automatic. That is probably because an organisation seriously interested in security would only want to enable certain certification services from certain certifiers. Very few people have heard of most of the organisations that Microsoft allow to vouch for a site's identity, and even the well known ones have various levels of check on the identity of the people they certify. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
