Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with TLS for chat.signal.org #541

Closed
dontcrash opened this issue Nov 9, 2023 · 3 comments
Closed

Issues with TLS for chat.signal.org #541

dontcrash opened this issue Nov 9, 2023 · 3 comments

Comments

@dontcrash
Copy link

dontcrash commented Nov 9, 2023
edited
Loading

Unsure of the best place for this, after inspecting traffic coming from my iOS device through my Sophos firewall, it was dropping connections for Signal, specifically because the cert used for chat.signal.org does not have a common name and the issuer is not trusted.
Can someone shed some light on this?

Here is the cert I captured:

-----BEGIN CERTIFICATE-----
MIIFiDCCA3CgAwIBAgITGB3sX1A1db5n46qLCCpWpZ2prTANBgkqhkiG9w0BAQsF
ADB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEeMBwGA1UEChMVU2lnbmFsIE1lc3NlbmdlciwgTExDMRkw
FwYDVQQDExBTaWduYWwgTWVzc2VuZ2VyMB4XDTIzMTAyNzE1MzEyNVoXDTI0MTEy
NjIxMjAxMFowADCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6PdkAc
AGn6DnhdJ0MVw0HrRitYaCGhwPGFLPKJYk+jk/07BFzVJMKXmpYX09cle6ktlW7q
iZ01uCU7CQ6rK9TFmb9RISrs91BZcguiMnoaxqIXaZmpWgC9pxH9NUB7DpHnsitC
lpCirOjYVqqVl0vT+zkr5vfSo1xapihVXsE9DLfgZG0snaqs+trEql/b0W8nITSo
Ygq9zpifIqgSAxPM/iNwV1JpmulE3Vv626cPuTIjihTnmIxt8JITZQNZyz5TpeCy
6SsvKIw5Tv33FlPOjngkGySc85WrrUNIFEVJXLTVeA9JHxg/dDqn1uboos8/9+JG
C8B3Hy2RAFk+1cyrUwYatVL07crb2HRPPzBl3WJhuyD9oBSa8WHNwPyrPnmm319B
aWjtYPRWMgrFe/DoiJosqa4BPgjJY8ojZ1qm3b99wWAhidaD6qHWmwWPtEzVXaJK
7pKUoXIfAxt2+zpf3ExT+uOEQypm9z4Jj5iGmF3ThFhdG3wG9Bdor7x476Cp11V9
p/PS6xoYMFyzQeTTQc8dq452URW90cVH0NKDYk3x69HGaWzaNPp7eQ7ZtSiDuQfu
D1BDqBjGh6zylRSFAUYD93bgD9+uRuxyIy03ru9aQ7T4oEEEiYXe1JzBudnn5wKy
atmDbcP1Wldl95hegNzyN/wIcE4X+aJjLP09AgMBAAGjgYUwgYIwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUX7370ZNRvgNpAEYS
tHQCIvxADXUwHwYDVR0jBBgwFoAUtfNLxuXWS9DlgGuMUMNnW7yx83EwHQYDVR0R
AQH/BBMwEYIPY2hhdC5zaWduYWwub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQAQtBCo
5EP7trsUfInYvU1n3T6XhL5pTZkaRMl2fAoc9EqskmaDTkOrX7uzQJ7Cwff4MKUx
yvXjvj89S8U0o/HzHxxKpC7kXdnzAv2twp/vj3sEMgiRkJrZg6WecNjy4L3TbWfz
617vFiYCKFENIuWvxfCg+jgajqsTNFbxQuAmLHeIqCKst3yFWBkqD7dZA/bHQgU+
ATkuz5ySFYMqIGvDorY5ToNOsg8Iu356wL/h0ugxUaRgPoST4ZwEYQLuzl8VPXjW
aEsZxyQa3yyvfdw0OgS0HT9y+JZ1uteT+BmFAhWC04e3+v1hOvw0NiCglRNkQiLd
ORWxXF5tQSijYbsRJyBSCBk+b9aEvcPV3XIyOs6b4nL0z7qd+9HXk8nJYeRnGdx6
Th8OFFsjGSW2DrTKaPzeWGWmmcPs2JEosz8YF3YEqNhLFcIOeMGef9bvfT1cf6qi
OTDIDIgBCD434pdob1W1qTJjXBYB+o+bwMhnN5btvefe/TaKpfDIu/wtTvWmCvz2
uQhucr+vzoEDHd3kYaYtmZHOVYsUX4rswUNDDuNs3p4fPRSzv9GqMfQnwsbPQ3FS
d7fkCnE1t79CeB+mQGPHBCk9y1Zb9ILZycJgobdiFdkssMhoo7KOR0hGHTLUh+x3
hw+mbeNyW6YmqMkHT9Lzfa9m8/vK2whttEZl0Q==
-----END CERTIFICATE-----

Common Name (CN)
Organisation (O)
Organisational Unit (OU)
Common Name (CN) Signal Messenger
Organisation (O) Signal Messenger, LLC
Organisational Unit (OU)
Issued On Saturday, 28 October 2023 at 02:01:25
Expires On Wednesday, 27 November 2024 at 07:50:10
Certificate 15464570bd75fcf948126c5849b96c8002597919a16af2e0d1d2760ec4bd31e1
Public key 82152d577d994e6fa698903e3923ef661376eecfd7195b8e042d46feab5522d8
@jrose-signal
Copy link
Contributor

jrose-signal commented Nov 9, 2023
edited
Loading

This would probably be better for https://support.signal.org, but Signal uses a pinned certificate for connections to chat.signal.org and other Signal servers, so that organizations who are not Signal can't issue valid certificates for those connections. The pinned certificate is a custom root certificate, so it won't look valid to your firewall.

You can see the certificates we're validating against in each of the apps, e.g. https://github.com/signalapp/Signal-iOS-Private/blob/main/SignalServiceKit/Resources/Certificates/signal-messenger.cer. I won't go as far as to say you should add this to your firewall as an exception, but it's an option.

@jrose-signal jrose-signal closed this as not planned Won't fix, can't repro, duplicate, stale Nov 9, 2023
@jrose-signal
Copy link
Contributor

I completely forgot we have a blog post that explains this much better than I can :-) https://signal.org/blog/certifiably-fine/

@dontcrash
Copy link
Author

I completely forgot we have a blog post that explains this much better than I can :-) https://signal.org/blog/certifiably-fine/

Excellent write-up! Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dontcrash @jrose-signal