GNOME Bugzilla – Bug 635586
Authority Certificate is not trusted
Last modified: 2010-12-13 21:11:16 UTC
Created attachment 175091 [details] gnutls-cli output I get an untrusted certificate warning when connecting to the jabber server of our firm even though it is signed by a trusted ca. I checked it with gnutls-cli and I get no warning (see attachment). I debugged empathy-auth-client and I think the problem is in the function real_start_verification in empathy-tls-verfier.c: if you have a certificate chain, the variable num_certs is decremented by one. At the end the function verify_last_certificate ist called with the certificate num_cert - 1. This isn't the last certificate in this case and an untrusted error will be thrown. I will attach a patch with my guessed solution. I know there is a comment why num_certs is decremented but I cannot follow it. While debugging I saw that only certificate #0 is checked against certificate #1 but certificate #1 not against #2 (because of the decremented variable num_certs). I'm not an expert on certificates and gnutls. Please doublecheck my considerations ;-) Thank you!
Created attachment 175092 [details] [review] Proposed patch for empathy-tls-verifier.c
Cosimo: does this make sense to you?
Once bug #636258 is merged, the actual verifying of the chain of certificates is done in gnutls rather than being reimplemented in empathy [1]. In addition building of the certificate chain is done is libgcr [2]. Leo, I hope that these changes will fix your problem. Please reopen this bug if the problem continues. [1] http://www.gnu.org/software/gnutls/manual/gnutls.html#gnutls_005fx509_005fcrt_005flist_005fverify [2] http://people.collabora.co.uk/~stefw/gcr-docs/GcrCertificateChain.html *** This bug has been marked as a duplicate of bug 636258 ***