Bug#758698: security-tracker: Valid, trusted Certificates Fail Validation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#758698: security-tracker: Valid, trusted Certificates Fail Validation
From: Hans-Peter Carpenter <Hans-Peter.Carpenter@redwood.com>
Date: Wed, 20 Aug 2014 08:20:57 +0000
Message-id: <[🔎] D7E96877647F5242830E2144227BF02FA5C41016@exceu2.rwd.lan>
Reply-to: Hans-Peter Carpenter <Hans-Peter.Carpenter@redwood.com>, 758698@bugs.debian.org

Package: security-tracker
Severity: normal

A number of jabber client programs, like gajim, mcabber, pidgin, psi report a GoDaddy signed certificate as 'Certificate cannot be trusted' or 'Certificate cannot be verified'. This used to work fine, I had no issues previously and I do not really know when it started, some weeks ago gajim started to complain.
In gajim, when I click 'View Cert' I get the following information:

Issued to:
Common Name (CN): jabber.redwood.com
Organization (O): None
Organizationl Unit (OU): Domain Control Validated
Serial Number: 12151355787224957

Issued by:
Common Name (CN): Go Daddy Secure Certificate Authority - G2
Organization (O): GoDaddy.com, Inc.
Organizationl Unit (OU): http://certs.godaddy.com/repository/

Validity:
Issued on: 20140715065303Z
Expires on: 20150715065303Z

Fingerprint
SHA1 Fingerprint: D4:79:32:73:36:15:97:F0:06:7F:22:55:25:C0:16:37:88:E8:68:2B

Now, I do not understand why these programs cannot verify this certificate other than the goDaddy certificates in /usr/share/ca-certificates/mozilla/ for GoDaddy have a different Common Name:

Go Daddy Root Certificate Authority - G2
iso
Go Daddy Secure Certificate Authority - G2

I am not sure what the problem is, here, my browser (Firefox 31.0) accepts this certificate authority. 
Since it is not limited to gajim, I think it is an issue in debian.

Regards,

HP, happy Debian user since 2002

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash






Regards,

HANS CARPENTER

Tech Writer
http://www.redwood.com


























RunMyJobs: Process Automation in the Cloud















This message may contain confidential or legally privileged information. In the event of any error in transmission, unauthorized recipients are requested to contact the sender immediately and do not disclose or make use of this information. No warranties or
 assurances are made or given as to the accuracy of the information given or in relation to the safety of this e-mail and any attachments. No liability whatsoever is accepted for any consequences arising from this e-mail.




If I don't document something, it's usually either for a good reason,
or a bad reason.  In this case it's [certainly for] 
a good reason.  :-)

Larry Wal

Reply to:

Prev by Date: External check
Next by Date: Processed: Re: Bug #758698: security-tracker: Valid, trusted Certificates Fail Validation
Previous by thread: Re: Debian Security Tracker Missing Squeeze-LTS packages
Next by thread: Processed: Re: Bug #758698: security-tracker: Valid, trusted Certificates Fail Validation
Index(es):
- Date
- Thread