These CA certificates were copied from debian ca-certificates, which uses
certificates from Mozilla's trust store.
spi CA certificate has be removed, no server in xmpp.net list uses this
CA certificate.
https://xmpp.net/directory.php
I have removed these CA certificates with 1024-bit RSA public keys,
because Mozilla is planning to remove them in Q1 2014 :
Digital_Signature_Trust_Co._Global_CA_1.crt
Digital_Signature_Trust_Co._Global_CA_3.crt
Entrust.net_Secure_Server_CA.crt
Equifax_Secure_CA.crt
Equifax_Secure_eBusiness_CA_1.crt
Equifax_Secure_Global_eBusiness_CA.crt
GTE_CyberTrust_Global_Root.crt
NetLock_Business_=Class_B=_Root.crt
NetLock_Express_=Class_C=_Root.crt
RSA_Root_Certificate_1.crt
Thawte_Premium_Server_CA.crt
Thawte_Server_CA.crt
ValiCert_Class_1_VA.crt
ValiCert_Class_2_VA.crt
Verisign_Class_1_Public_Primary_Certification_Authority.crt
Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
Verisign_Class_3_Public_Primary_Certification_Authority.crt
Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
See:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/https://wiki.mozilla.org/CA:MD5and1024
I'm also removing TurkTrust CA certificates because of this security
incident:
https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
TURKTRUST_Certificate_Services_Provider_Root_1.crt
TURKTRUST_Certificate_Services_Provider_Root_2007.crt
TURKTRUST_Certificate_Services_Provider_Root_2.crt
other/cacert.pem is used only on Windows. On Unix platforms
use CA certificates installed in /etc/ssl/certs
(python-nbxmpp loads CA certificates from /etc/ssl/certs directory)
Fixes#7629
- Add support for fingerprints to servers.xml parser.
- Add support for 'hidden' servers to servers.xml parser.
- Add some fingerprints to servers.xml, for testing and as example for the new format.
- Force asynchronous (nonblocking) SSL handshake in all case
- Add logging to c/connection.py
Known issues:
- Checking of fingerprints doesn't work on in-band SSL (Typically port 5222) because of stuff happening out of sequence. Workaround: use immediate SSL mode ("Legacy SSL" option in server config). Because there is as of yet no other way to /force/ SSL, this is also the most secure setting.
- A lot of code is still looking for a better place to live.
- In verbose mode, print encodings. (Especially for Windows users who don't have Python) (gajim.py)
- Attempt at fixing traceback when getting user's home directory in Windows. See #2812. (c/configpaths.py)
- Show 'error' icon next to account while waiting for reconnect. Fixes#2786. (c/connection_handlers.py, c/gajim.py, c/connection.py)
[PyOpenSSL]
- Fix 100% CPU usage and hanging connection when server closes connection on us. (c/x/transports_nb.py)
- Fix 'hanging' connection when server closes the connection on us before we can open the XML stream. (Disconnect handler didn't get called.) (c/x/client_nb.py)
- Change prints to logger calls, various enhancements to debug printing, reduce spam (c/x/transports_nb.py)
- this → self (c/x/transports_nb.py)
- Call _do_receive() once to collect error message from socket, when error flag is raised in scheduler. (c/x/transports_nb.py)
