mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: May 2012
Posts: 3
E
Self-satisified door
OP Offline
Self-satisified door
E
Joined: May 2012
Posts: 3
With mIRC 7.25, I connect to a SSL-enabled IRC-server. The IRC-server uses a completely valid and signed SSL-certificate, however the used hostname is present as a Subject Alternative Name (SAN) in the certificate. The main hostname in the certificate is different. This results in an error message about a problem with the certificate. A workaround could be to use the main hostname from the certificate, but this will not always be possible.

I don't know if this is an issue with OpenSSL or with mIRC, but the certificate should be accepted when the used hostname is present as SAN in the certificate.

Joined: Nov 2011
Posts: 6
C
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
C
Joined: Nov 2011
Posts: 6
Hi All,

I've recently come across this one too in mIRC 7.25. Please see the below image for clarification of what we mean smile.

Where it says "Dns: irc.link-net.org" it should also say "irc6.link-net.org" and "eu.link-net.org", as these three are added as subjectAltName to the ssl cert (with "irc.link-net.fi" being the CommonName).

It would be handy for mIRC to recognise subjectAltName, as users can connect to our servers via the different dns pools - region ("eu.link-net.org"), ipv6 ("irc6.link-net.org"), global ("irc.link-net.org"), actual address ("irc.link-net.fi").

Regards,
catatonic



Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
The question is, how do other programs deal with SANs? For instance, how would your web browser handle this? Would it accept the cert?


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Joined: Nov 2011
Posts: 6
C
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
C
Joined: Nov 2011
Posts: 6
Hi,

Most modern browsers accept SAN - there is a very basic list here. I believe Chrome & Android also support SAN.

Hope this helps,

Last edited by catatonic; 04/07/12 10:17 AM. Reason: removed wrong link
Joined: Nov 2011
Posts: 6
C
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
C
Joined: Nov 2011
Posts: 6
Hi,

Just to expand/clarify a bit more:

- In the certificate / security alert box where it lists the subjectAltName ("Dns:"), it only lists the first SAN, instead of all of them.
- mIRC seems to only accept the first subjectAltName when connecting, ignoring all others that are listed within the cert.

Relevant RFCs seem to be rfc2818 (3.1), rfc5280 (4.1.2.6).

irssi accepts subjectAltNames correctly, from my testing, if this helps at all.

Regards,
catatonic

Joined: Dec 2002
Posts: 5,412
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,412
Thanks for the bug report, this issue has been fixed for the next version.

Joined: Dec 2002
Posts: 5,412
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,412
Thanks for the extra details :-)

Joined: May 2012
Posts: 3
E
Self-satisified door
OP Offline
Self-satisified door
E
Joined: May 2012
Posts: 3
Great! Thanks for the fix, I'm looking forward to the next release.

Keep up the good work!


Link Copied to Clipboard