agl
commented
8 years ago The hash algorithm used in the self-signature of a root CA is irrelevant for security. However it also shouldn't trigger a verification error. Rather it looks like that error is arising because the CACert authority isn't found.
Also, I can't reproduce an error when connecting to jabber.ccc.de with Go master.
The CACert root certificate included in xmpp-client uses the MD5WithRSA signature algorithm. This is not only no longer thought to be secure, but is also not supported by Go. Connecting to jabber.ccc.de now gives the following error:
xmpp: failed to verify TLS certificate: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm MD5-RSA" while trying to verify candidate authority certificate "CA Cert Signing Authority")(This issue comes originally from Coy: twstrike/coyim/issues/41)