GNOME Bugzilla – Bug 647635
Empathy rejects Facebook's certificate
Last modified: 2011-04-21 07:12:43 UTC
Empathy always claims the certificate is invalid when connecting to FB. (empathy-auth-client:9262): empathy-DEBUG: auth_factory_new_tls_handler_cb: New TLS server handler received from the factory (empathy-auth-client:9262): empathy-DEBUG: empathy_tls_verifier_verify_async: Starting verification (empathy-auth-client:9262): empathy-DEBUG: empathy_server_tls_handler_finalize: 0x15f8850 (empathy-auth-client:9262): empathy-DEBUG: perform_verification: Performing verification (empathy-auth-client:9262): empathy-DEBUG: debug_certificate_chain: Certificate chain: length 1 status incomplete (empathy-auth-client:9262): empathy-DEBUG: debug_certificate: Certificate: C=US, ST=California, L=Palo Alto, O=Facebook, Inc., CN=chat.facebook.com (empathy-auth-client:9262): empathy-DEBUG: perform_verification: Certificate verification gave result 0 with reason 6 (empathy-auth-client:9262): empathy-DEBUG: abort_verification: Verification error 6, aborting... (empathy-auth-client:9262): empathy-DEBUG: verifier_verify_cb: Error: TLS verification failed with reason 6 (empathy-auth-client:9262): empathy-DEBUG: tls_dialog_response_cb: Response -8
Also, when trying to save the exception with 2.34 (GNOME 2) we get: (empathy-auth-client:9801): empathy-DEBUG: empathy_tls_certificate_store_ca: Can't import the CA, as it's not self-signed So this error popups each time we connect; pretty annoying.
I don't think empathy 2.34 uses gnome-keyring to verify its certificates (only to display them). Further more empathy 2.34 can't save anything but self-signed certificates.
It seems to me that this is correct behavior. chat.facebook.com is only sending one certificate. This can be verified using this wocky-dump-certificates tool: https://bugs.freedesktop.org/show_bug.cgi?id=36207 chat.facebook.com has the following: Subject: C=US,ST=California,L=Palo Alto,O=Facebook\, Inc.,CN=chat.facebook.com Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3 'DigiCert High Assurance CA-3' is an intermediate CA is not in the standard mozilla or openssl distributions. You can get this intermediate CA from connecting to https://www.facebook.com it looks like: Subject: C=US,O=DigiCert Inc,OU=DigiCert Inc,CN=DigiCert High Assurance CA-3 Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA The 'DigiCert High Assurance EV Root CA' is the root CA and is in the CA certificate bundles of mozilla and debian etc... With X.509 authentication the endpoint certificate and all intermediates must be sent by the caller. We have provisions in libgcr to look up intermediates locally if they don't get sent, but since this intermediate is not installed, it doesn't help.
chat.facebook.com has fixed their certificate and are sending the intermediate CA now.