Opened at 2012-11-07T11:16:37Z
Closed at 2012-12-23T23:40:52Z
#1007 closed defect (notabug)
Certificate verification problem 0x44: certificate uses an insecure algorithm
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | BitlBee | Version: | devel |
| Keywords: | Cc: | ||
| IRC client+version: | Client-independent | Operating System: | Linux |
| OS version/distro: |
Description
I am hitting the error in the topic when trying to connect to jabber.zeromail.org with "CAfile = /etc/ssl/certs/ca-certificates.crt" in bitlbee.conf and "set tls_verify true".
It seems to not be http://bugs.bitlbee.org/bitlbee/ticket/935.
GnuTLS works: gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 5222 jabber.zeromail.org --starttls
OpenSSL, too: openssl s_client -connect conf.zeromail.org:5222 -starttls xmpp -CApath /etc/ssl/certs/ca-certificates.crt
I even tried adding every vertificate from s_client -showcerts to /etc/ssl/certs/ca-certificates.crt.
The Signature Algorithm of the cert is: sha1WithRSAEncryption, the intermediate has sha256WithRSAEncryption.
What's the problem?
Attachments (0)
Change History (5)
comment:1 Changed at 2012-11-20T16:23:02Z by
comment:2 Changed at 2012-11-20T19:06:24Z by
I see now that the server is using a different CAcert Class3 than currently on the site (https://www.cacert.org/index.php?id=3). But the CAcert root is the same.
Problem is: I *have* tried adding both the Jabber-Server-Cert and their Class3 into /etc/ssl/certs/ca-certificates.crt, but BitlBee still gives me the error. Even with *all* these Certs in there:
44793e4a173d8574b9e75e4401c786bfa17fd2b2 zeromail-jabber SHA1 Fingerprint=BE:1D:CA:F9:7E:51:8C:74:1C:C6:71:4B:85:29:23:91:61:84:4C:71
Subject: CN=zeromail.org
Signature Algorithm: sha1WithRSAEncryption
notBefore=Jul 18 19:19:28 2012 GMT
c3786e9b5e206c76886efa1576d50594818e88de zeromail-class3 SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D
Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Signature Algorithm: md5WithRSAEncryption
notBefore=Oct 14 07:36:55 2005 GMT
24f9be1f791177f174e8f3277a9788d93eb10776 cacert-class3 SHA1 Fingerprint=AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Signature Algorithm: sha256WithRSAEncryption
notBefore=May 23 17:48:02 2011 GMT
506fb5538523119fdeddb269bdaa355b1c12a58f root SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@…
Signature Algorithm: md5WithRSAEncryption
notBefore=Mar 30 12:29:49 2003 GMT
comment:3 Changed at 2012-11-20T20:23:13Z by
Adding the intermediate does not work for me either. However this is not related to BitlBee but can also be observed with gnutls-cli:
Greet the server with
<?xml version='1.0'?><stream:stream to='zeromail.org' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
and hit CTRL-D on its response.
It looks to me like this contradicts the the workaround mentioned in #935. But maybe I don't understand it correctly.
comment:4 Changed at 2012-11-20T23:52:15Z by
Ok, fixed it server side by adding the current CAcert Class 3 (with SHA256) to the certificate chain of the Daemon.
comment:5 Changed at 2012-12-23T23:40:52Z by
| Resolution: | → notabug |
|---|---|
| Status: | new → closed |
gnutls-cli does not work when really performing the XMPP STARTTLS handshake by hand.
Both "CAcert Class 3 Root" and "CA Cert Signing Authority" are signed with "RSA-MD5 (broken!)". If I remember the discussion about #935 correctly, adding the intermediate "CAcert Class 3 Root" to the list of trusted certificates should work.