search

threema-ch / threema-msgapi-sdk-python

Threema Gateway Message SDK for Python
https://gateway.threema.ch
MIT License
50 stars 17 forks source link

Update fingerprint #23

Closed lgrahl closed 7 years ago

lgrahl commented 7 years ago

Dear Threema Gateway User

For more “Swissness”, and to increase the level of trust (Organization Validation), we are switching our server certificates to SwissSign. On 01.12.2016 at 10:00 CET, the certificate for the web host https://msgapi.threema.ch (which you use for communicating with Threema Gateway) will be changed.

If the HTTPS client that you employ for communication with Threema Gateway uses one of the common CA lists (e.g. Mozilla CA store/NSS) or does not verify server certificates, then you don't need to do anything. The root certificate of SwissSign is already contained in common CA lists. If you have included our old certificate (GeoTrust RapidSSL) manually, you need to make the root certificate of SwissSign Gold G2 available to your HTTPS client.

The root certificate of SwissSign Gold G2 can be found here: https://swisssign.net/cgi-bin/authority/download?ca=Gold%20G2 (other formats see: https://swisssign.net/cgi-bin/trust/import).

If you have any questions concerning this certificate change, contact us at support-gateway-service@threema.ch.

Best regards, Threema Gateway

rugk commented 7 years ago

So you got the issue of "certificate pinning" here. (https://github.com/lgrahl/threema-msgapi-sdk-python/issues/17) Only pinning the hash (of the leaf cert as Threema does it) prevents any change needed in a CA switch.

lgrahl commented 7 years ago

Well, I'm aware of that but I just cannot clone myself. :wink:

rugk commented 7 years ago

Yeah, I am just saying…