#1007 closed defect (notabug)

Certificate verification problem 0x44: certificate uses an insecure algorithm

Reported by: ilf@… Owned by:
Priority: normal Milestone:
Component: BitlBee Version: devel
Keywords: Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro:


I am hitting the error in the topic when trying to connect to with "CAfile = /etc/ssl/certs/ca-certificates.crt" in bitlbee.conf and "set tls_verify true".

It seems to not be

GnuTLS works: gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 5222 --starttls

OpenSSL, too: openssl s_client -connect -starttls xmpp -CApath /etc/ssl/certs/ca-certificates.crt

I even tried adding every vertificate from s_client -showcerts to /etc/ssl/certs/ca-certificates.crt.

The Signature Algorithm of the cert is: sha1WithRSAEncryption, the intermediate has sha256WithRSAEncryption.

What's the problem?

Attachments (0)

Change History (5)

comment:1 Changed at 2012-11-20T16:23:02Z by AopicieR <ph@…>

gnutls-cli does not work when really performing the XMPP STARTTLS handshake by hand.

Both "CAcert Class 3 Root" and "CA Cert Signing Authority" are signed with "RSA-MD5 (broken!)". If I remember the discussion about #935 correctly, adding the intermediate "CAcert Class 3 Root" to the list of trusted certificates should work.

comment:2 Changed at 2012-11-20T19:06:24Z by ilf@…

I see now that the server is using a different CAcert Class3 than currently on the site ( But the CAcert root is the same.

Problem is: I *have* tried adding both the Jabber-Server-Cert and their Class3 into /etc/ssl/certs/ca-certificates.crt, but BitlBee still gives me the error. Even with *all* these Certs in there:

44793e4a173d8574b9e75e4401c786bfa17fd2b2 zeromail-jabber SHA1 Fingerprint=BE:1D:CA:F9:7E:51:8C:74:1C:C6:71:4B:85:29:23:91:61:84:4C:71


Signature Algorithm: sha1WithRSAEncryption

notBefore=Jul 18 19:19:28 2012 GMT

c3786e9b5e206c76886efa1576d50594818e88de zeromail-class3 SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D

Subject: O=CAcert Inc., OU=, CN=CAcert Class 3 Root

Signature Algorithm: md5WithRSAEncryption

notBefore=Oct 14 07:36:55 2005 GMT

24f9be1f791177f174e8f3277a9788d93eb10776 cacert-class3 SHA1 Fingerprint=AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE

Subject: O=CAcert Inc., OU=, CN=CAcert Class 3 Root

Signature Algorithm: sha256WithRSAEncryption

notBefore=May 23 17:48:02 2011 GMT

506fb5538523119fdeddb269bdaa355b1c12a58f root SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

Subject: O=Root CA, OU=, CN=CA Cert Signing Authority/emailAddress=support@…

Signature Algorithm: md5WithRSAEncryption

notBefore=Mar 30 12:29:49 2003 GMT

comment:3 Changed at 2012-11-20T20:23:13Z by AopicieR <ph@…>

Adding the intermediate does not work for me either. However this is not related to BitlBee but can also be observed with gnutls-cli:

Greet the server with

<?xml version='1.0'?><stream:stream to='' xmlns='jabber:client' xmlns:stream='' version='1.0'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

and hit CTRL-D on its response.

It looks to me like this contradicts the the workaround mentioned in #935. But maybe I don't understand it correctly.

comment:4 Changed at 2012-11-20T23:52:15Z by ilf@…

Ok, fixed it server side by adding the current CAcert Class 3 (with SHA256) to the certificate chain of the Daemon.

comment:5 Changed at 2012-12-23T23:40:52Z by wilmer

Resolution: notabug
Status: newclosed

Modify Ticket

as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.