[Pidgin] #9264: New twitter.com SSL certificate root server unrecognized

Pidgin trac at pidgin.im
Fri May 29 13:10:40 EDT 2009

#9264: New twitter.com SSL certificate root server unrecognized
 Reporter:  zxinn                                       |        Owner:  lschiere    
     Type:  enhancement                                 |       Status:  closed      
Milestone:                                              |    Component:  unclassified
  Version:  2.5.6                                       |   Resolution:  invalid     
 Keywords:  twitter mbpurple certificate ssl microblog  |  

Comment(by darkrain42):

 Replying to [comment:12 bazzargh]:
 > However, I'd add that I consider the cert cache using filenames based on
 the hostname rather than the fingerprint to be a pidgin bug. It means that
 the plugins have to install a ca-cert rather than just add the appropriate
 server cert into the cache, to deal with servers (like twitters) that use
 multiple certs.

 While I do think it's probably reasonable to want to cache more than one
 certificate per host (which would likely require a per-fingerprint storage
 mechanism), it's ''absolutely not'' a good reason to do so to "make it
 easier" for plugins to distribute a set of specific server certificates
 instead of adding the trusted roots (and intermediate CAs) as necessary.
 That defeats the whole purpose of x509 trust chains and, if servers have
 multiple certificates on load-balanced servers, is a silly (and incredibly
 error-prone) way to ensure that the certificates for all of the servers
 are trusted.

 Moreover (I haven't confirmed this), I believe the trusted certificate
 cache is per-user, whereas plugins like this are typically installed

Ticket URL: <http://developer.pidgin.im/ticket/9264#comment:13>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list