search

matrix-org / matrix-bifrost

General purpose bridging with a variety of backends including libpurple and xmpp.js
Apache License 2.0
160 stars 31 forks source link

purple-hangouts doesn't seem to get expected certs from nss #16

Open Half-Shot opened 5 years ago

Half-Shot commented 5 years ago

My suspicion is again that the event handling is not supplying the nss code with an intact certificate, probably needs shoving through a debugger.

Expected (from pidgin):

(23:19:53) dnsquery: Performing DNS lookup for www.googleapis.com
(23:19:53) dns: Got response for 'www.googleapis.com'
(23:19:53) dnsquery: IP resolved for www.googleapis.com
(23:19:53) proxy: Connecting to www.googleapis.com:443 with no proxy
(23:19:53) proxy: Connecting to www.googleapis.com:443.
(23:19:53) proxy: Connected to www.googleapis.com:443.
(23:19:53) nss: subject=CN=*.googleapis.com,O=Google LLC,L=Mountain View,ST=California,C=US issuer=CN=Google Internet Authority G3,O=Google Trust Services,C=US
(23:19:53) certificate/x509/tls_cached: Starting verify for www.googleapis.com
(23:19:53) nss/x509: Loading certificate from /home/will/.purple/certificates/x509/tls_peers/www.googleapis.com
(23:19:53) nss/x509: Exporting certificate to /home/will/.purple/certificates/x509/tls_peers/www.googleapis.com
(23:19:53) util: Writing file /home/will/.purple/certificates/x509/tls_peers/www.googleapis.com
(23:19:53) nss: Trusting CN=*.googleapis.com,O=Google LLC,L=Mountain View,ST=California,C=US
(23:19:53) certificate: Successfully verified certificate for www.googleapis.com

Bridge:

(00:19:33) dnsquery: Performing DNS lookup for www.googleapis.com
(00:19:33) dns: Created new DNS child 13322, there are now 1 children.
(00:19:33) dns: Successfully sent DNS request to child 13322
(00:19:33) dns: Got response for 'www.googleapis.com'
(00:19:33) dnsquery: IP resolved for www.googleapis.com
(00:19:33) proxy: Attempting connection to 172.217.18.10
(00:19:33) proxy: Connecting to www.googleapis.com:443 with no proxy
(00:19:33) proxy: Connection in progress
(00:19:33) proxy: Connecting to www.googleapis.com:443.
(00:19:33) proxy: Connected to www.googleapis.com:443.
(00:19:33) nss: SSL version 3.3 using 128-bit AES-GCM with 128-bit AEAD MAC
Server Auth: 256-bit ECDSA, Key Exchange: 255-bit ECDHE, Compression: NULL
Cipher Suite Name: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(00:19:33) nss: subject=CN=*.googleapis.com,O=Google LLC,L=Mountain View,ST=California,C=US issuer=CN=Google Internet Authority G3,O=Google Trust Services,C=US
(00:19:33) nss: subject=CN=Google Internet Authority G3,O=Google Trust Services,C=US issuer=CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
(00:19:33) nss: partial certificate chain
(00:19:33) certificate/x509/tls_cached: Starting verify for www.googleapis.com
(00:19:33) certificate/x509/tls_cached: Checking for cached cert...
(00:19:33) certificate/x509/tls_cached: ...Not in cache
(00:19:33) certificate/x509/ca: Couldn't open location '/usr/local/share/purple/ca-certs'
(00:19:33) certificate/x509/ca: Lazy init completed.
(00:19:33) nss: CERT 1. CN=Google Internet Authority G3,O=Google Trust Services,C=US [Certificate Authority]:
(00:19:33) nss:   ERROR -8179: SEC_ERROR_UNKNOWN_ISSUER
moghingold commented 5 years ago

Is NSS configured to use the system wide CA certificate store? If not, it may simply be defaulting to distrust all certs. This was a problem for some OpenSSL users in 2016, years after node-purple's original author stopped working on it.

The rabbit hole I went down: 1: Googling the error, I found an explanation that supports your hypothesis, but also linked to a related discussion about certificate errors.

  1. That conversation was about OpenSSL, and revealed that some system configurations don't have it (and I would speculate other applications) come with their own CA certs.
  2. The relevant OpenSSL documentation* specifically refers to NSS, and says that additional steps are needed to configure it to use the system wide store.

* Section titled "Certificate Verification with NSS"