Pidgin 2.7.3 on Maemo5 - SSL certificates for MSN invalid

David Woolley forums at david-woolley.me.uk
Sun Nov 21 11:45:34 EST 2010


Etan Reisner wrote:

> 
> To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue

As this is telling people to do something potentially dangerous, I think 
it should also tell them to check that the issuer and subject on each 
certificate is different, i.e. that they are not being fed a potentially 
bogus root certificate.

It may be safe to fetch the intermediate certificates from an untrusted 
source, but only if they really are only intermediate ones.  At least I 
think that is true, but it is possible that openssl will stop when it 
finds a locally trusted intermediate certificate, in which case they 
need to verify the certificate chain before installing them.

I know that some browsers will accept a locally trusted leaf 
certificate, even though they don't trust the corresponding root.

-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.



More information about the Support mailing list