Modify

#1007 closed defect (notabug)

Certificate verification problem 0x44: certificate uses an insecure algorithm

Reported by: ilf@… Owned by:
Priority: normal Milestone:
Component: BitlBee Version: devel
Keywords: Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro:

Description

I am hitting the error in the topic when trying to connect to jabber.zeromail.org with "CAfile = /etc/ssl/certs/ca-certificates.crt" in bitlbee.conf and "set tls_verify true".

It seems to not be http://bugs.bitlbee.org/bitlbee/ticket/935.

GnuTLS works: gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 5222 jabber.zeromail.org --starttls

OpenSSL, too: openssl s_client -connect conf.zeromail.org:5222 -starttls xmpp -CApath /etc/ssl/certs/ca-certificates.crt

I even tried adding every vertificate from s_client -showcerts to /etc/ssl/certs/ca-certificates.crt.

The Signature Algorithm of the cert is: sha1WithRSAEncryption, the intermediate has sha256WithRSAEncryption.

What's the problem?

Attachments (0)

Change History (5)

comment:1 Changed at 2012-11-20T16:23:02Z by AopicieR <ph@…>

gnutls-cli does not work when really performing the XMPP STARTTLS handshake by hand.

Both "CAcert Class 3 Root" and "CA Cert Signing Authority" are signed with "RSA-MD5 (broken!)". If I remember the discussion about #935 correctly, adding the intermediate "CAcert Class 3 Root" to the list of trusted certificates should work.

comment:2 Changed at 2012-11-20T19:06:24Z by ilf@…

I see now that the server is using a different CAcert Class3 than currently on the site (https://www.cacert.org/index.php?id=3). But the CAcert root is the same.

Problem is: I *have* tried adding both the Jabber-Server-Cert and their Class3 into /etc/ssl/certs/ca-certificates.crt, but BitlBee still gives me the error. Even with *all* these Certs in there:

44793e4a173d8574b9e75e4401c786bfa17fd2b2 zeromail-jabber SHA1 Fingerprint=BE:1D:CA:F9:7E:51:8C:74:1C:C6:71:4B:85:29:23:91:61:84:4C:71

Subject: CN=zeromail.org

Signature Algorithm: sha1WithRSAEncryption

notBefore=Jul 18 19:19:28 2012 GMT

c3786e9b5e206c76886efa1576d50594818e88de zeromail-class3 SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D

Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root

Signature Algorithm: md5WithRSAEncryption

notBefore=Oct 14 07:36:55 2005 GMT

24f9be1f791177f174e8f3277a9788d93eb10776 cacert-class3 SHA1 Fingerprint=AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE

Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root

Signature Algorithm: sha256WithRSAEncryption

notBefore=May 23 17:48:02 2011 GMT

506fb5538523119fdeddb269bdaa355b1c12a58f root SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@…

Signature Algorithm: md5WithRSAEncryption

notBefore=Mar 30 12:29:49 2003 GMT

comment:3 Changed at 2012-11-20T20:23:13Z by AopicieR <ph@…>

Adding the intermediate does not work for me either. However this is not related to BitlBee but can also be observed with gnutls-cli:

Greet the server with

<?xml version='1.0'?><stream:stream to='zeromail.org' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

and hit CTRL-D on its response.

It looks to me like this contradicts the the workaround mentioned in #935. But maybe I don't understand it correctly.

comment:4 Changed at 2012-11-20T23:52:15Z by ilf@…

Ok, fixed it server side by adding the current CAcert Class 3 (with SHA256) to the certificate chain of the Daemon.

comment:5 Changed at 2012-12-23T23:40:52Z by wilmer

Resolution: notabug
Status: newclosed

Modify Ticket

Action
as closed The ticket will remain with no owner.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.