mailing list archives
Gajim fails to handle invalid certificates
From: y33t <y33t () tormail org>
Date: Sun, 11 Nov 2012 04:02:39 +0000
Gajim does not seem to properly handle invalid/broken/expired
certificates. The _ssl_verify_callback function in tls_nb.py is called
by OpenSSL for every certificate in the certificate chain (CA first,
server certificate last) but always return True whether an error was
encountered or not.
This forces OpenSSL to verify each certificate until none is left, at
which points it will call _ssl_verify_callback one last time with an
error number of 0.
(This behavior is documented here: man 3 SSL_CTX_set_verify
"If verify_callback returns 1, the verification process is continued.
If verify_callback always returns 1, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection will
And can be observed in function
crypto/x509/x509_vfy.c:internal_verify() in OpenSSL source code.)
_ssh_verify_callback only stores the last error code, which always is 0
unless an error was encountered in the deepest level of the chain (the
CA), so gajim will not warn as long as the CA is recognized.
This problem goes beyond expired certificates. It is also possible to
edit any existing and valid server certificate by changing the CN
manually. The certificate's signature will be become invalid and OpenSSL
will detect it and return errnum 7 ("Certificate signature failure") but
gajim will not warn and will proceed with the connection anyway...
- Gajim fails to handle invalid certificates y33t (Nov 11)