After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 647635 - Empathy rejects Facebook's certificate
Empathy rejects Facebook's certificate
Status: RESOLVED NOTGNOME
Product: empathy
Classification: Core
Component: Auth client
unspecified
Other Linux
: High critical
: ---
Assigned To: empathy-maint
Depends on:
Blocks:
 
 
Reported: 2011-04-13 09:15 UTC by Guillaume Desmottes
Modified: 2011-04-21 07:12 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Guillaume Desmottes 2011-04-13 09:15:06 UTC
Empathy always claims the certificate is invalid when connecting to FB.

(empathy-auth-client:9262): empathy-DEBUG: auth_factory_new_tls_handler_cb: New TLS server handler received from the factory
(empathy-auth-client:9262): empathy-DEBUG: empathy_tls_verifier_verify_async: Starting verification
(empathy-auth-client:9262): empathy-DEBUG: empathy_server_tls_handler_finalize: 0x15f8850
(empathy-auth-client:9262): empathy-DEBUG: perform_verification: Performing verification
(empathy-auth-client:9262): empathy-DEBUG: debug_certificate_chain: Certificate chain: length 1 status incomplete
(empathy-auth-client:9262): empathy-DEBUG: debug_certificate: Certificate: C=US, ST=California, L=Palo Alto, O=Facebook, Inc., CN=chat.facebook.com
(empathy-auth-client:9262): empathy-DEBUG: perform_verification: Certificate verification gave result 0 with reason 6
(empathy-auth-client:9262): empathy-DEBUG: abort_verification: Verification error 6, aborting...
(empathy-auth-client:9262): empathy-DEBUG: verifier_verify_cb: Error: TLS verification failed with reason 6
(empathy-auth-client:9262): empathy-DEBUG: tls_dialog_response_cb: Response -8
Comment 1 Guillaume Desmottes 2011-04-13 09:30:38 UTC
Also, when trying to save the exception with 2.34 (GNOME 2) we get:

(empathy-auth-client:9801): empathy-DEBUG: empathy_tls_certificate_store_ca: Can't import the CA, as it's not self-signed

So this error popups each time we connect; pretty annoying.
Comment 2 Stef Walter 2011-04-13 09:33:34 UTC
I don't think empathy 2.34 uses gnome-keyring to verify its certificates (only to display them). Further more empathy 2.34 can't save anything but self-signed certificates.
Comment 3 Stef Walter 2011-04-13 14:29:20 UTC
It seems to me that this is correct behavior. chat.facebook.com is only sending one certificate. This can be verified using this wocky-dump-certificates tool:

https://bugs.freedesktop.org/show_bug.cgi?id=36207

chat.facebook.com has the following:

  Subject: C=US,ST=California,L=Palo Alto,O=Facebook\, Inc.,CN=chat.facebook.com
  Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3

'DigiCert High Assurance CA-3' is an intermediate CA is not in the standard mozilla or openssl distributions. You can get this intermediate CA from connecting to https://www.facebook.com it looks like:

  Subject: C=US,O=DigiCert Inc,OU=DigiCert Inc,CN=DigiCert High Assurance CA-3
  Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA

The 'DigiCert High Assurance EV Root CA' is the root CA and is in the CA certificate bundles of mozilla and debian etc...

With X.509 authentication the endpoint certificate and all intermediates must be sent by the caller. We have provisions in libgcr to look up intermediates locally if they don't get sent, but since this intermediate is not installed, it doesn't help.
Comment 4 Stef Walter 2011-04-21 07:12:43 UTC
chat.facebook.com has fixed their certificate and are sending the intermediate CA now.