Issues with TLS for chat.signal.org

[dontcrash]

Unsure of the best place for this, after inspecting traffic coming from my iOS device through my Sophos firewall, it was dropping connections for Signal, specifically because the cert used for chat.signal.org does not have a common name and the issuer is not trusted. Can someone shed some light on this?

Here is the cert I captured:

-----BEGIN CERTIFICATE-----
MIIFiDCCA3CgAwIBAgITGB3sX1A1db5n46qLCCpWpZ2prTANBgkqhkiG9w0BAQsF
ADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEeMBwGA1UEChMVU2lnbmFsIE1lc3NlbmdlciwgTExDMRkw
FwYDVQQDExBTaWduYWwgTWVzc2VuZ2VyMB4XDTIzMTAyNzE1MzEyNVoXDTI0MTEy
NjIxMjAxMFowADCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6PdkAc
AGn6DnhdJ0MVw0HrRitYaCGhwPGFLPKJYk+jk/07BFzVJMKXmpYX09cle6ktlW7q
iZ01uCU7CQ6rK9TFmb9RISrs91BZcguiMnoaxqIXaZmpWgC9pxH9NUB7DpHnsitC
lpCirOjYVqqVl0vT+zkr5vfSo1xapihVXsE9DLfgZG0snaqs+trEql/b0W8nITSo
Ygq9zpifIqgSAxPM/iNwV1JpmulE3Vv626cPuTIjihTnmIxt8JITZQNZyz5TpeCy
6SsvKIw5Tv33FlPOjngkGySc85WrrUNIFEVJXLTVeA9JHxg/dDqn1uboos8/9+JG
C8B3Hy2RAFk+1cyrUwYatVL07crb2HRPPzBl3WJhuyD9oBSa8WHNwPyrPnmm319B
aWjtYPRWMgrFe/DoiJosqa4BPgjJY8ojZ1qm3b99wWAhidaD6qHWmwWPtEzVXaJK
7pKUoXIfAxt2+zpf3ExT+uOEQypm9z4Jj5iGmF3ThFhdG3wG9Bdor7x476Cp11V9
p/PS6xoYMFyzQeTTQc8dq452URW90cVH0NKDYk3x69HGaWzaNPp7eQ7ZtSiDuQfu
D1BDqBjGh6zylRSFAUYD93bgD9+uRuxyIy03ru9aQ7T4oEEEiYXe1JzBudnn5wKy
atmDbcP1Wldl95hegNzyN/wIcE4X+aJjLP09AgMBAAGjgYUwgYIwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUX7370ZNRvgNpAEYS
tHQCIvxADXUwHwYDVR0jBBgwFoAUtfNLxuXWS9DlgGuMUMNnW7yx83EwHQYDVR0R
AQH/BBMwEYIPY2hhdC5zaWduYWwub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQAQtBCo
5EP7trsUfInYvU1n3T6XhL5pTZkaRMl2fAoc9EqskmaDTkOrX7uzQJ7Cwff4MKUx
yvXjvj89S8U0o/HzHxxKpC7kXdnzAv2twp/vj3sEMgiRkJrZg6WecNjy4L3TbWfz
617vFiYCKFENIuWvxfCg+jgajqsTNFbxQuAmLHeIqCKst3yFWBkqD7dZA/bHQgU+
ATkuz5ySFYMqIGvDorY5ToNOsg8Iu356wL/h0ugxUaRgPoST4ZwEYQLuzl8VPXjW
aEsZxyQa3yyvfdw0OgS0HT9y+JZ1uteT+BmFAhWC04e3+v1hOvw0NiCglRNkQiLd
ORWxXF5tQSijYbsRJyBSCBk+b9aEvcPV3XIyOs6b4nL0z7qd+9HXk8nJYeRnGdx6
Th8OFFsjGSW2DrTKaPzeWGWmmcPs2JEosz8YF3YEqNhLFcIOeMGef9bvfT1cf6qi
OTDIDIgBCD434pdob1W1qTJjXBYB+o+bwMhnN5btvefe/TaKpfDIu/wtTvWmCvz2
uQhucr+vzoEDHd3kYaYtmZHOVYsUX4rswUNDDuNs3p4fPRSzv9GqMfQnwsbPQ3FS
d7fkCnE1t79CeB+mQGPHBCk9y1Zb9ILZycJgobdiFdkssMhoo7KOR0hGHTLUh+x3
hw+mbeNyW6YmqMkHT9Lzfa9m8/vK2whttEZl0Q==
-----END CERTIFICATE-----

Common Name (CN) Organisation (O) Organisational Unit (OU) Common Name (CN) Signal Messenger Organisation (O) Signal Messenger, LLC Organisational Unit (OU) Issued On Saturday, 28 October 2023 at 02:01:25 Expires On Wednesday, 27 November 2024 at 07:50:10 Certificate 15464570bd75fcf948126c5849b96c8002597919a16af2e0d1d2760ec4bd31e1 Public key 82152d577d994e6fa698903e3923ef661376eecfd7195b8e042d46feab5522d8

[jrose-signal]

This would probably be better for https://support.signal.org, but Signal uses a pinned certificate for connections to chat.signal.org and other Signal servers, so that organizations who are not Signal can't issue valid certificates for those connections. The pinned certificate is a custom root certificate, so it won't look valid to your firewall.

You can see the certificates we're validating against in each of the apps, e.g. https://github.com/signalapp/Signal-iOS-Private/blob/main/SignalServiceKit/Resources/Certificates/signal-messenger.cer. I won't go as far as to say you should add this to your firewall as an exception, but it's an option.

[jrose-signal]

I completely forgot we have a blog post that explains this much better than I can :-) https://signal.org/blog/certifiably-fine/

[dontcrash]

I completely forgot we have a blog post that explains this much better than I can :-) https://signal.org/blog/certifiably-fine/

Excellent write-up! Thank you very much.