mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Mar 2006
Posts: 395
T
The_JD Offline OP
Pan-dimensional mouse
OP Offline
Pan-dimensional mouse
T
Joined: Mar 2006
Posts: 395
I had a quick search and to my surprise I didn't find anything related to this.

What I would like to see, Is an auto-accept option, Certificates are often ugly and messy, and I don't see a real point in it for a lot of things.

I understand the security issues with an auto accept status, but perhaps a script "on 1:CERT:{ do this }" would be good.

The other option is to modify the mirc.ini file... Which can end up quiet messy!

I dont think the majority of things (such as PHP, WinAPI, etc) require that you accept it, but provide an option which can be automatically set.

Im guessing there are a few others out there that are interested???

Thanks,
JD.


[02:16] * Titanic has quit IRC (Excess Flood)
Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
Apparently mIRC stores the certificates in the mirc.ini already. You can check the box in the dialog that says "Automatically accept this certificate" and boom, you have "Auto accepted" SSL certificates.

Last edited by argv0; 03/09/07 07:10 PM.

- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Joined: Jul 2003
Posts: 655
Fjord artisan
Offline
Fjord artisan
Joined: Jul 2003
Posts: 655
Unfortunately, this is neither perfect (its buggy) nor convenient in many cases. mIRC has issues with the certificate saving, which seems somewhat random, some certificates mirc will simply not save/match against correctly. Not to mention that on networks with many servers you'd have to check /map (if its not disabled) and connect/accept each and every server to avoid future annoyances with reconnection asking to accept the certificate and such... obviously resulting in non-reconnection if you are not at pc at the time.

On top of that, some networks are configured not to allow direct server connection through the servers ip or personal dns, and require you to use one of the dns pool addresses, which makes itterating through them almost impossible (both since you cant do it manually and since continuous reconnections to the dns pool will not garantee you hit all the servers)

I have actually posted/suggested about this a few times (different methods), somewhat disappointed that silly (at least in my opinion) new gui features get implemented yet little time (seemingly) spent to improve/fix/enhance such a core part of the program, but thats how the cookie crumbles and hopefully something will be done eventually.

Links to some prior suggestions:
/server -e# to manipulate ssl cert. interaction
Safe/Trusted SSL list

There have been others but since they were not by me i cant be sure what to search for to find them.

As a side note, the search feature on these boards seem to limit you to 101 results, so expanding search to 5 years is pointless half the time, you have to search over and over altering the 'older than' values in order to get a decent set of results. This makes the whole 'expand to 5 years' suggestion everybody makes when they talk about users searching the forums pretty much nulled. Chances are they wont get any older than several months/a year anyway due to the result limit.

Last edited by Om3n; 08/09/07 06:06 PM.

"Allen is having a small problem and needs help adjusting his attitude" - Flutterby
Joined: Dec 2002
Posts: 5,408
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,408
I've never heard of this issue before, can you provide an SSL server whose certificate mIRC has trouble saving/matching against?

Joined: Jul 2003
Posts: 655
Fjord artisan
Offline
Fjord artisan
Joined: Jul 2003
Posts: 655
I could, but as i said, it seems somewhat random... (i recall mentioning this some time ago).

To better illustrate what i mean by 'random' concider the following.

Clear all certificates,
Connect to servers 1 through 10 and A through C,
Perhapse one server (lets say 9) doesnt auto-accept the next time you reconnect to it, and dispite again selecting to auto-accept in the future it continues to ask every time.

Now, clear all certificates again,
Connect to servers 1 through 10 and A through C again,
This time server 9 has no issues with reconnecting and auto accepting, but maybe a different server will (lets say B),
And the cycle continues.

So you see it seems somewhat arbitrary which certificate(s) do not work as intend (in regards to auto acceptance)

I am not sure exactly HOW to properly test and narrow down what could possibly be causing this issue, which is why i have never posted a detailed bug report about it (although i have certainly mentioned it on several occasions)

If you have any ideas/suggestions on methods in which to test and help figure it out then i will be happy to assist.

In any case, i would still certainly like to see a feature similar to those (the /server addition seems more appropriate to me) that were listed above. (coz itteration of servers to get/accept certificates can still be troublesom). But i would certainly settle for this weird issue to go away heh (just to clarify, i have spoken to a number of others that have experienced the same behavior on different versions and different os's, so it doesnt seem to be specifically realated to my setup)

Edit: also mircs sslcache doesnt store any identification as to which certificate may belong to which network, so for the current servers that give me trouble i am not able to check if they are saved to mirc.ini properly or at all

Obviously, i can also not be certain if this issue is caused by mirc or by the openssl dlls.

Last edited by Om3n; 08/09/07 06:50 PM.

"Allen is having a small problem and needs help adjusting his attitude" - Flutterby
Joined: Dec 2002
Posts: 5,408
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,408
I've performed some tests; in the cases where I'm prompted again to accept a hash, this is due to connecting to a different server on the same network. Since each server has its own unique certificate, if you connect to ten networks, each with ten servers, and each server has an invalid certifiate, you will need to accept 100 invalid certificates.

I have added an auto-accept invalid certificates to the next version of mIRC, although you would probably be compromising the security of your SSL connection if you use it.

Joined: Jul 2003
Posts: 655
Fjord artisan
Offline
Fjord artisan
Joined: Jul 2003
Posts: 655
I have observed multiple cases in the past where mirc (or even a bug in the ssl dll's?) fails to accept a previously accepted certificate for a private network that contains only one server. In such cases i have specifically looked closely to make sure everything is the same each time (server name, address, real ip, connection port, all certificate data, etc) in order to try and work out what is wrong, without any luck (everything is identical). And as i have mentioned it may or may not work fine for that certificate the next time certificates are cleared completely, the complete inconsistancy of the behavior is what makes it so hard to digest.

Since you have introduced a global method of auto acceptance (which will certainly help, but as you say it can compromise security), is there any chance of something like the per cid internal flag (re /server flag suggestion) being introduced?

I will try and do some testing and see if i can figure anything out at all that might help explain the issue.

Thanks for checking into it, its been annoying me since the introduction of ssl in mirc. (side note: using same ssl dll's with a third party wrapper does not seem to have this issue when configured to only accept saved certificates)

Last edited by Om3n; 11/09/07 01:28 PM.

"Allen is having a small problem and needs help adjusting his attitude" - Flutterby
Joined: Dec 2002
Posts: 2,031
R
Hoopy frood
Offline
Hoopy frood
R
Joined: Dec 2002
Posts: 2,031
Auto accepting on a per server or per network basis would be much better than globally. It could have an option to always accept certificates from this server or always accept certificates from servers on this network?

~ Edit ~

Always accept certificates from this ip?

Joined: Jul 2008
Posts: 2
J
JSH Offline
Bowl of petunias
Offline
Bowl of petunias
J
Joined: Jul 2008
Posts: 2
Can the problems with saving SSL certificates be caused by to many certificates in the mirc.ini ssl cache? I had 100 entries in my cache, and since I cleared the cache and re-added the current servers, I've not seen mIRC "forget" to save any certficates.

/JSH

Joined: Dec 2002
Posts: 5,408
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,408
Thanks yes, that could be it. There is a limit of 100 items in the ssl cache. It looks like any new items after that limit were being discarded. I've fixed this in the next version so that new items are inserted at the top of the list and the oldest item at the bottom of the list is discarded.

Joined: Jul 2008
Posts: 2
J
JSH Offline
Bowl of petunias
Offline
Bowl of petunias
J
Joined: Jul 2008
Posts: 2
Thanks for the fast fix!

/JSH


Link Copied to Clipboard