mIRC Home    About    Download    Register    News    Help

Print Thread
Possible issue verifying SSL certificates #224047 04/08/10 06:54 PM
Joined: Jul 2010
Posts: 3
K
KarlR Offline OP
Self-satisified door
OP Offline
Self-satisified door
K
Joined: Jul 2010
Posts: 3
Hi,

I have encountered what might be an issue when connecting to an IRC server using a signed certificate (where mIRC trusts the signing authority).

When connecting while trusting the authority, mIRC returns the following details for the certificate:

Code:
Issued to:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org

Issued by:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org

Valid from 30/03/2003 to 29/03/2033


When not trusting the authority, mIRC returns this:

Code:
Issued to:
Host: lotus.ca.us.swiftirc.net

Issued by:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org

Valid from 04/08/2010 to 31/01/2011


mIRC thus alternates between complaining about the server name not matching, and being unable to get the local issuer certificate. This problem appears to occur with servers with signed by the same CA that were properly validated with an earlier version of mIRC.

Interrogating the server certificate using the same box/OpenSSL version as mIRC returns this:

Code:
c:\OpenSSL\bin>openssl verify -CAfile c:\users\karl\Documents\keys\CACertRoot.cer c:\Users\karl\Documents\lotus.pem
c:\Users\karl\Documents\lotus.pem: OK


Code:
c:\OpenSSL\bin>openssl x509 -in c:\users\karl\Documents\lotus.pem -issuer -subject 
issuer= /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
subject= /CN=lotus.ca.us.swiftirc.net

Re: Possible issue verifying SSL certificates [Re: KarlR] #229734 15/02/11 06:29 PM
Joined: Feb 2011
Posts: 3
I
irc_user Offline
Self-satisified door
Offline
Self-satisified door
I
Joined: Feb 2011
Posts: 3
Hi,

i can confirm this problem and it still exists in current version v7.17.
Please fix it.

Re: Possible issue verifying SSL certificates [Re: irc_user] #229985 21/02/11 11:20 PM
Joined: Feb 2011
Posts: 3
I
imprim Offline
Self-satisified door
Offline
Self-satisified door
I
Joined: Feb 2011
Posts: 3
Bump!

I can confirm that this bug still exists.

This is very serious issue, because it affects one of the most popular IRC networks: FreeNode.

Please fix it!

Re: Possible issue verifying SSL certificates [Re: imprim] #230107 25/02/11 01:31 PM
Joined: Feb 2011
Posts: 3
I
imprim Offline
Self-satisified door
Offline
Self-satisified door
I
Joined: Feb 2011
Posts: 3
I can confirm that updating to v7.18 (current beta) does not fix this (try connecting to chat.freenode.net:+7000)

Last edited by imprim; 25/02/11 01:32 PM.
Re: Possible issue verifying SSL certificates [Re: imprim] #230117 25/02/11 04:01 PM
Joined: Feb 2011
Posts: 3
I
irc_user Offline
Self-satisified door
Offline
Self-satisified door
I
Joined: Feb 2011
Posts: 3
Originally Posted By: imprim
I can confirm that updating to v7.18 (current beta) does not fix this (try connecting to chat.freenode.net:+7000)

Yes, only mirc v6.35 works fine.

Re: Possible issue verifying SSL certificates [Re: imprim] #230136 25/02/11 09:22 PM
Joined: Dec 2002
Posts: 4,657
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,657
Thanks for the feedback. There was a bug in mIRC v6.35 that caused it to incorrectly validate the certificate in some situations. The method was changed in v7.x, however it looks like the validation is still not being performed correctly.

I have made another change that seems to resolve this issue. Now, when I try to connect to chat.freenode.net:+7000, mIRC will report:

"unable to get local issuer certificate"
"the security certificate date is valid"
"The security certificate has a valid name matching the name of the server."

This seems to be correct, since mIRC cannot validate the certificate without a Trusted Authorities file.

If I then open the mIRC Options->Connect->Options->SSL dialog and load UTN-USERFirst-Hardware.pem (exported from the Windows certificates dialog and converted from DER to PEM format) as the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.

This change should be in the next version.

Re: Possible issue verifying SSL certificates [Re: Khaled] #230150 26/02/11 09:50 AM
Joined: Feb 2011
Posts: 3
I
imprim Offline
Self-satisified door
Offline
Self-satisified door
I
Joined: Feb 2011
Posts: 3
Originally Posted By: Khaled
I have made another change that seems to resolve this issue.


Perfect! Thank you smile

Originally Posted By: Khaled

If I then open the mIRC Options->Connect->Options->SSL dialog and load UTN-USERFirst-Hardware.pem (exported from the Windows certificates dialog and converted from DER to PEM format) as the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.


To avoid exporting certificates by hand one can, for example, use Mozilla's certdata file http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 , which is conveniently converted to PEM format by the kind folks at http://curl.haxx.se/docs/caextract.html .

Maybe mIRC can ship this file to ease life of its SSL-savvy users? It seems that MPL only applies to the file (and not to the product shipping it), but IANAL.

Re: Possible issue verifying SSL certificates [Re: Khaled] #230180 27/02/11 11:31 AM
Joined: Feb 2011
Posts: 3
I
irc_user Offline
Self-satisified door
Offline
Self-satisified door
I
Joined: Feb 2011
Posts: 3
Originally Posted By: Khaled
I have made another change that seems to resolve this issue.

If I then open the mIRC Options->Connect->Options->SSL dialog and load [...] the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.

This change should be in the next version.

Thanks for fixing this bug. wink

Re: Possible issue verifying SSL certificates [Re: imprim] #230230 02/03/11 06:16 PM
Joined: May 2008
Posts: 16
V
Vilius Offline
Pikka bird
Offline
Pikka bird
V
Joined: May 2008
Posts: 16
Originally Posted By: imprim
Originally Posted By: Khaled
I have made another change that seems to resolve this issue.


Perfect! Thank you smile

Originally Posted By: Khaled

If I then open the mIRC Options->Connect->Options->SSL dialog and load UTN-USERFirst-Hardware.pem (exported from the Windows certificates dialog and converted from DER to PEM format) as the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.


To avoid exporting certificates by hand one can, for example, use Mozilla's certdata file http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 , which is conveniently converted to PEM format by the kind folks at http://curl.haxx.se/docs/caextract.html .

Maybe mIRC can ship this file to ease life of its SSL-savvy users? It seems that MPL only applies to the file (and not to the product shipping it), but IANAL.


Please NO. mIRC (as every other program on the system) should use Windows CA storage/CryptoAPI. Every Windows OS has one and there is no need to duplicate the functionality.

Last edited by Vilius; 02/03/11 06:17 PM.
Re: Possible issue verifying SSL certificates [Re: Vilius] #230268 03/03/11 11:31 AM
Joined: Dec 2002
Posts: 4,657
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,657
I have added support for the Windows certificate store, so mIRC now loads the trusted and intermediate authorities for use in validating certificates. Looking through the Windows Certificates dialog, I notice that Windows XP has a large number of trusted and intermediate authorities, whereas Windows 7 has very few, which means that freenode users with Windows 7 will still need to download the Mozilla cacert.pm file in order to connect without seeing a certificate warning.