FS#38723 - [gajim] GlobalSign CA cert expired

Attached to Project: Arch Linux
Opened by chris (jugg) - Thursday, 30 January 2014, 04:32 GMT
Last edited by Eric Belanger (Snowman) - Sunday, 23 February 2014, 05:35 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Gajim uses its own set of CA certs located at /usr/share/gajim/data/other/cacerts.pem.

The certificate it has for GlobalSign expired on Jan 28 12:00:00 2014 GMT having serial number ‎02 00 00 00 00 00 d6 78 b7 94 05

See https://2014.globalsign.com/ for the certificate information.

Gajim's cacerts.pem need to be updated with a more recent GlobalSign root certificate.

Additional info:

Gajim 0.15.4-1

Steps to reproduce:

Sign into a server using an SSL certificate signed by GlobalSign, and if warnings are enabled, you will be warned.

or

$ openssl verify -CAfile /usr/share/gajim/data/other/cacerts.pem domain.crt
domain.crt: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
error 10 at 1 depth lookup:certificate has expired
This task depends upon

Closed by  Eric Belanger (Snowman)
Sunday, 23 February 2014, 05:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  certificates have been removed in gajim-0.15.4-2
Comment by chris (jugg) - Thursday, 30 January 2014, 06:20 GMT
Looks like the larger issue of using a custom ca cert store is being addressed upstream - https://trac.gajim.org/ticket/7629
Comment by chris (jugg) - Thursday, 30 January 2014, 06:25 GMT
In the mean time, I've just deleted the file /usr/share/gajim/data/other/cacerts.pem from my system, which apparently causes gajim to then use the system ca certs. I'm now able to connect to my server without any further SSL warnings.

So, it would seem an appropriate patch for archlinux is to remove that file.

Loading...