[Juser] Maddening with SSL certificates
Peter Saint-Andre
stpeter at jabber.org
Tue May 1 12:57:30 CDT 2007
Jonathan Siegle wrote:
> I don't believe that we are supposed to send the root certificate which
> I see in the chain when I do
> $ openssl s_client -connect jabber.org:5223
Hmm. My understanding is this:
1. The server should present the entire trust chain. That is, present
the domain cert, the intermediate cert, and the root cert.
2. The client should install the root cert only, since it can get the
trust chain from the server.
I think the problem is that the StartCom root is not in the cert store
used by the Jabber client. For example, maybe the root cert is in the
user's Mozilla cert store since it is bundled with Firefox 2, but the
client uses the OS cert store and the root cert is not bundled there.
It may take a while for the StartCom root to be included in various
OSes, but they're making progress:
http://cert.startcom.org/?app=140
(I don't think they have a special page for OS listings, will poke them
about that.)
Peter
--
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/juser/attachments/20070501/175ddf2e/smime.bin
More information about the JUser
mailing list