[Juser] Maddening with SSL certificates

Peter Saint-Andre stpeter at jabber.org
Tue May 1 12:57:30 CDT 2007


Jonathan Siegle wrote:

> I don't believe that we are supposed to send the root certificate which 
> I see in the chain when I do
> $ openssl s_client -connect jabber.org:5223

Hmm. My understanding is this:

1. The server should present the entire trust chain. That is, present 
the domain cert, the intermediate cert, and the root cert.

2. The client should install the root cert only, since it can get the 
trust chain from the server.

I think the problem is that the StartCom root is not in the cert store 
used by the Jabber client. For example, maybe the root cert is in the 
user's Mozilla cert store since it is bundled with Firefox 2, but the 
client uses the OS cert store and the root cert is not bundled there.

It may take a while for the StartCom root to be included in various 
OSes, but they're making progress:

http://cert.startcom.org/?app=140

(I don't think they have a special page for OS listings, will poke them 
about that.)

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/juser/attachments/20070501/175ddf2e/attachment-0001.bin>


More information about the JUser mailing list