[Operators] IM Observatory: Not recognising DigiCert root certificate

Thijs Alkemade thijs at xnyhps.nl
Thu Oct 31 09:37:05 UTC 2013


On 31 okt. 2013, at 02:44, Robert Norris <robn at fastmail.fm> wrote:

> Just learned about the IM Observatory, cute idea. Of course I ran our
> server through it:
> 
>  http://xmpp.net/result.php?domain=fastmail.fm&type=client
> 
> It has some good advice, which I'm now working through.
> 
> I think the "Intermediate certificate was not included in the chain"
> error might be bogus though. Its choking on the apparent lack of the
> "DigiCert High Assurance EV Root CA" cert, however this is a cert
> normally included and trusted by browsers and clients alike.
> 
> Consider:
> 
>  http://www.digicert.com/help/?host=chat.messagingengine.com%3A5223
> 
> No errors. Which I'd expect, considering the same keychain is used on
> all of our services.
> 
> So is the tester subtly broken, or am I subtly misconfigured?
> 
> Cheers,
> Rob N
> FastMail.

Hm, I see what’s going wrong.

DigiCert has two different certificates:

https://xmpp.net/pem.php?sha256=583f7a68139b0656a2419eeb5a2caefd4e5cc8146ebeb2194e3a6604133f6d7a
https://xmpp.net/pem.php?sha256=7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf

Both have the same public key and CA constraint set to TRUE. The only (major)
difference is that the first one is signed by "Entrust.net Secure Server
Certification Authority" and the second one is self-signed. The second one is
part of the root certificates of Debian.

xmppoke tries to manually reconstruct the trust chain, because there are
things you can not get OpenSSL to do easily (such as warning for missing
intermediate certs, showing the root that was used). This checking didn't work
perfectly, for example it assumed every certificate is signed by exactly one
other certificate, which is clearly false in this case. I've updated the code
to look for a trusted root with the same public key as the issuer first, so
the error is now gone.

The error didn't influence the trust, by the way. You still get an F because
your certificate is not valid for fastmail.fm.

Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131031/454dc04a/attachment.pgp>


More information about the Operators mailing list