You are not logged in.

#1 2010-06-11 00:44:44

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,553

[solved] weechat client certificates broken?

Is anybody successfully using weechat to authenticate to OFTC by sending a cert? I'm seeing nonsense behavior when I try.

I'm following the weechat instructions here: http://www.weechat.org/files/doc/stable … rtificates and also looking at OFTC's doc here: http://www.oftc.net/oftc/NickServ/CertFP

Verification via CA works fine (observe the 3rd line down):

20:12:26     oftc     | irc: connecting to server irc.oftc.net/6697 (SSL)...
20:12:26     oftc     | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange
20:12:26     oftc     | gnutls: peer's certificate is trusted
20:12:26     oftc     | gnutls: receiving 4 certificates
20:12:26     oftc     |  - certificate[1] info:
20:12:26     oftc     |    - subject `CN=oxygen.oftc.net', issuer `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=support@oftc.net', RSA key 2048 bits, signed using RSA-SHA, activated
                      | `2009-08-07 14:31:48 UTC', expires `2010-08-07 14:31:48 UTC', SHA-1 fingerprint `852cb9bbab6ae5c5c3d4a745e255b175006e7314'
20:12:26     oftc     |  - certificate[2] info:
20:12:26     oftc     |    - subject `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=support@oftc.net', issuer `O=Open and Free Technology Community,OU=Certification
                      | Authority,CN=ca.oftc.net,EMAIL=support@oftc.net', RSA key 2048 bits, signed using RSA-SHA, activated `2008-05-25 00:10:59 UTC', expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint
                      | `e45b2de35faec3e999209e34f7ce4c05b6adb73c'
20:12:26     oftc     |  - certificate[3] info:
20:12:26     oftc     |    - subject `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=support@oftc.net', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmaster@spi-inc.org', RSA key 2048 bits, signed using RSA-SHA, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23 23:53:25 UTC', SHA-1 fingerprint
                      | `27361360dd639f5ee74b07468345516fc0f052f1'
20:12:26     oftc     |  - certificate[4] info:
20:12:26     oftc     |    - subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmaster@spi-inc.org', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmaster@spi-inc.org', RSA key 4096 bits, signed using RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint
                      | `af70884383820215cd61c6bcecfd3724a990431c'

But then, when weechat tries to use my cert and key to do mutual auth, it fails. Notice that it claims to find a cert with the same subject as OFTC's CA in my client.pem file, which is nonsense:

20:12:26     oftc     | gnutls: sending one certificate
20:12:26     oftc     |  - client certificate info (/home/ataraxia/.weechat/ssl/client.pem):
20:12:26     oftc     |   - subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmaster@spi-inc.org', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmaster@spi-inc.org', RSA key 4096 bits, signed using RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint
                      | `af70884383820215cd61c6bcecfd3724a990431c'
20:12:26     oftc =!= | irc: TLS handshake failed
20:12:26     oftc =!= | irc: error: Insufficient credentials for that request.

I've double- and triple-checked that the contents of client.pem (MY cert and key, and nothing to do with OFTC or SPI) are correct.

What is going on here? Is weechat really using the wrong creds to authenticate me? (If that's so, at least it explains the "Insufficient credentials" error, as of course I don't have the key for SPI's CA.) Does this work for other people? Google finds no complaints of such a bug.

I'm quite experienced with X509, so you don't need to explain things in baby terms here.

Last edited by ataraxia (2010-08-12 14:18:55)

Offline

#2 2010-06-22 15:51:07

TaylanUB
Member
Registered: 2009-09-16
Posts: 150

Re: [solved] weechat client certificates broken?

Just wanted to say that i have the exact same problem.

No other Weechat+SSL+OFTC users here?

It works in Irssi by the way. /troll


``Common sense is nothing more than a deposit of prejudices laid down by the mind before you reach eighteen.''
~ Albert Einstein

Offline

#3 2010-07-01 15:30:32

gour
Member
From: Croatia
Registered: 2007-07-28
Posts: 67

Re: [solved] weechat client certificates broken?

TaylanUB wrote:

Just wanted to say that i have the exact same problem.

No other Weechat+SSL+OFTC users here?

It works in Irssi by the way. /troll

+1 with the problem hmm


Sincerely,
Gour

Edit:  I can also cofirm that the same certificate works in irssi. yikes

Last edited by gour (2010-07-02 08:51:00)

Offline

#4 2010-07-01 18:19:46

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,553

Re: [solved] weechat client certificates broken?

Offline

#5 2010-07-02 18:34:24

gour
Member
From: Croatia
Registered: 2007-07-28
Posts: 67

Re: [solved] weechat client certificates broken?

ataraxia wrote:

I've added comment there...

Otherwise, no solution on horizon?

I've tried on #weechat, but no response...it's quite dead there.  sad


Sincerely,
Gour

Offline

#6 2010-07-06 04:10:14

gour
Member
From: Croatia
Registered: 2007-07-28
Posts: 67

Re: [solved] weechat client certificates broken?

gour wrote:

I've tried on #weechat, but no response...it's quite dead there.  sad

Weechat dev returned from vacation and tried to reproduce problem without success yesterday.

Then I found out what's wrong...weechat uses openssl-1.0.0.a on Archlinux which, somehow, produces ucompatible cert which weechat cannot read properly.

After creating cert with openssl-0.9.80, everything is fine now. cool


Sincerely,
Gour

Offline

#7 2010-07-26 15:06:42

gour
Member
From: Croatia
Registered: 2007-07-28
Posts: 67

Re: [solved] weechat client certificates broken?

Just to inform everyone that the issue is resovled in weechat's git trunk.


Sincerely,
Gour

Offline

#8 2010-08-08 02:52:35

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,553

Re: [solved] weechat client certificates broken?

This fix has made it to release, and 0.3.3-1 works for me.

Offline

Board footer

Powered by FluxBB