mIRC Home    About    Download    Register    News    Help

Print Thread
Support for SAN's in SSL-certificates #237945 15/06/12 08:37 AM
Joined: May 2012
Posts: 3
E
Eagle_Erwin Offline OP
Self-satisified door
OP Offline
Self-satisified door
E
Joined: May 2012
Posts: 3
With mIRC 7.25, I connect to a SSL-enabled IRC-server. The IRC-server uses a completely valid and signed SSL-certificate, however the used hostname is present as a Subject Alternative Name (SAN) in the certificate. The main hostname in the certificate is different. This results in an error message about a problem with the certificate. A workaround could be to use the main hostname from the certificate, but this will not always be possible.

I don't know if this is an issue with OpenSSL or with mIRC, but the certificate should be accepted when the used hostname is present as SAN in the certificate.

Re: Support for SAN's in SSL-certificates [Re: Eagle_Erwin] #238144 03/07/12 08:40 PM
Joined: Nov 2011
Posts: 6
C
catatonic Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
C
Joined: Nov 2011
Posts: 6
Hi All,

I've recently come across this one too in mIRC 7.25. Please see the below image for clarification of what we mean smile.

Where it says "Dns: irc.link-net.org" it should also say "irc6.link-net.org" and "eu.link-net.org", as these three are added as subjectAltName to the ssl cert (with "irc.link-net.fi" being the CommonName).

It would be handy for mIRC to recognise subjectAltName, as users can connect to our servers via the different dns pools - region ("eu.link-net.org"), ipv6 ("irc6.link-net.org"), global ("irc.link-net.org"), actual address ("irc.link-net.fi").

Regards,
catatonic



Re: Support for SAN's in SSL-certificates [Re: catatonic] #238146 03/07/12 10:19 PM
Joined: Oct 2003
Posts: 3,918
A
argv0 Offline
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
The question is, how do other programs deal with SANs? For instance, how would your web browser handle this? Would it accept the cert?


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Re: Support for SAN's in SSL-certificates [Re: argv0] #238161 04/07/12 10:09 AM
Joined: Nov 2011
Posts: 6
C
catatonic Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
C
Joined: Nov 2011
Posts: 6
Hi,

Most modern browsers accept SAN - there is a very basic list here. I believe Chrome & Android also support SAN.

Hope this helps,

Last edited by catatonic; 04/07/12 10:17 AM. Reason: removed wrong link
Re: Support for SAN's in SSL-certificates [Re: catatonic] #238174 04/07/12 10:20 PM
Joined: Nov 2011
Posts: 6
C
catatonic Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
C
Joined: Nov 2011
Posts: 6
Hi,

Just to expand/clarify a bit more:

- In the certificate / security alert box where it lists the subjectAltName ("Dns:"), it only lists the first SAN, instead of all of them.
- mIRC seems to only accept the first subjectAltName when connecting, ignoring all others that are listed within the cert.

Relevant RFCs seem to be rfc2818 (3.1), rfc5280 (4.1.2.6).

irssi accepts subjectAltNames correctly, from my testing, if this helps at all.

Regards,
catatonic

Re: Support for SAN's in SSL-certificates [Re: Eagle_Erwin] #238335 17/07/12 10:55 AM
Joined: Dec 2002
Posts: 4,657
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,657
Thanks for the bug report, this issue has been fixed for the next version.

Re: Support for SAN's in SSL-certificates [Re: catatonic] #238336 17/07/12 10:57 AM
Joined: Dec 2002
Posts: 4,657
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 4,657
Thanks for the extra details :-)

Re: Support for SAN's in SSL-certificates [Re: Khaled] #238431 27/07/12 08:58 AM
Joined: May 2012
Posts: 3
E
Eagle_Erwin Offline OP
Self-satisified door
OP Offline
Self-satisified door
E
Joined: May 2012
Posts: 3
Great! Thanks for the fix, I'm looking forward to the next release.

Keep up the good work!