mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
TLS verification issue on testnet.ergo.chat #269406 30/09/21 12:38 AM
Joined: Mar 2020
Posts: 2
S
slingamn Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
S
Joined: Mar 2020
Posts: 2
One of my users is reporting an inability to connect to ircs://testnet.ergo.chat:6697/ with mIRC v7.66. They report that initially they were able to connect, but then a subsequent connection attempt failed. This suggests a possible issue with STS, since the server publishes the following STS token in its CAP LS 302 output: "sts=duration=86400,port=6697".

Here's the client configuration: https://i.imgur.com/EaM0yu8.png

The error is: "[05:24pm] * Unable to connect to server (SSL certificate verify failed)". (The time is 5:24 PM PDT [UTC-7] on September 29th, 2021.)

Here is the current certificate chain we are serving: https://gist.github.com/slingamn/ac339674da32ff086a2d17250f32854c

Thanks very much for your time.


Co-maintainer of the Oragono IRC server
Re: TLS verification issue on testnet.ergo.chat [Re: slingamn] #269407 30/09/21 06:43 AM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
Thanks for your bug report. The "SSL certificate verify failed" error message relates to the certificate verification itself. If the user enables the "Display invalid certificates for approval" in the Options/Connect/Options/SSL dialog, this should, on connect, display the SSL Warning dialog that shows the reason why the certificate failed.

Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269408 30/09/21 07:20 AM
Joined: Jan 2004
Posts: 1,620
maroon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 1,620
The error is showing the certificate expired, even though the display shows the cert has not expired.

I'm seeing reports it's related to this: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

Will posting the updated cacert.pem solve this?

Re: TLS verification issue on testnet.ergo.chat [Re: maroon] #269409 30/09/21 07:51 AM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
I just tried connecting to the server using a clean install of mIRC v7.66 and it didn't report any issues, so the cacert.pem that comes with v7.66 should be okay.

Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269410 30/09/21 07:59 AM
Joined: Jan 2004
Posts: 1,620
maroon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 1,620
I've had reports from people using 7.66 with newest win10 getting this error from all libera.chat servers

/server irc.libera.chat +6697

Re: TLS verification issue on testnet.ergo.chat [Re: maroon] #269411 30/09/21 08:08 AM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
Puzzling. I tried connecting to Libera.Chat with the v7.66 cacert.pem and it worked without any issues.

If you can find a user who is reporting this issue and ask them to install a clean copy of mIRC v7.66 in a new, empty folder in the Windows Documents folder, using the "Portable" option in the installer, and to then run mIRC from there, do they still see the issue?

You could also ask the user to post the date of their cacert.pem using:

Code
//echo $read($mircdir $+ cacert.pem,w,*Certificate data*)

Last edited by Khaled; 30/09/21 08:22 AM.
Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269412 30/09/21 08:39 AM
Joined: Jan 2004
Posts: 1,620
maroon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 1,620
Im seeing the same issue on my current win7 install, but installing 766 on a new win10 machine has no trouble

both of them give same reply to that as

echo ## Certificate data from Mozilla as of: Tue Jun 29 09:58:15 2021 GMT

and both have same

//echo -a $sha256(cacert.pem,2) is 1e8aec6afd4e62b3bb60f2f0ee658c5e528c88c28c160525e068edc1645e135e

Someone in channel has the problem on his existing win10 setup. He just did a fresh portable 766, and still same popup warning from the libera.chat servers. In the network support channel, nobody else using a different client than mirc is reporting this.

Re: TLS verification issue on testnet.ergo.chat [Re: maroon] #269413 30/09/21 09:50 AM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
Right. I still haven't been able to reproduce this on Windows 7/10.

If you clear the cacert.pem file in the Options/Connect/Options/SSL dialog, so no trusted authorities file is in use, and then try connecting again to libera.chat, what happens?

If you enable "Display invalid certificates for approval", what does it show as the error in the SSL Warning dialog?

Last edited by Khaled; 30/09/21 10:14 AM.
Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269414 30/09/21 10:08 AM
Joined: Jan 2004
Posts: 1,620
maroon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 1,620
cleared it and no help. It seems too much of a coincidence to not be related to the 9/30 cert that expired.

KindOne says he doesnt have the problem, so still not sure what's the common denominator among those where it's failing. Libera admins say their cert is using the root cert that expires 2035, and that cert and the 9/30 cert both appear in my list of root certs, and i don't see how the win10 is describing those certs differently than win7 does, and the other guy here running win10 can't find any cause either

Re: TLS verification issue on testnet.ergo.chat [Re: maroon] #269415 30/09/21 10:19 AM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
mIRC also loads certificates from the Windows certificate store, for users/organizations that use custom certificates. At this point, the only potential issue I can think of is that the Windows 7/10 certificates for some users have not been updated and/or still include the old certificate, resulting in a conflict.

Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269416 30/09/21 11:14 AM
Joined: Jan 2012
Posts: 173
Epic Offline
Vogon poet
Offline
Vogon poet
Joined: Jan 2012
Posts: 173
After reading this thread, I decided to try connecting to my server by port the SSL port with mIRC v7.66 and I also got a connection error: "Unable to connect to server (SSL certificate verify failed)".

I have fulfilled: "ALT+OConnectOptionsSSLServer Certificates: Automatically accept invalid certificates // Display invalid certificates for approvalTrusted authorities file: ...\cacert.pem".
In the second option, a dialog box pops up prompting you to accept the server certificate. After that, I was able to connect to the server.

It looks like all the generated certificates have somehow become invalid. Perhaps this information will help you somehow solve the connection problem that has arisen.


🅸🆁🅲 - 𝔦'𝔱𝔰 𝔸 𝕂𝖎ɴ𝙙 ᴏ𝙛 𝕄𝙖𝖌𝙞𝙘
Re: TLS verification issue on testnet.ergo.chat [Re: slingamn] #269417 30/09/21 11:28 AM
Joined: Jan 2017
Posts: 4
I
IHDC3600 Offline
Self-satisfied door
Offline
Self-satisfied door
I
Joined: Jan 2017
Posts: 4
Hello, everybody.
I have the same problem.
OS: Win10 pro x64 + all updates
Client: mIRC v7.66
Network: irc.libera.chat:+6697

Re: TLS verification issue on testnet.ergo.chat [Re: Epic] #269418 30/09/21 12:02 PM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
Quote
"Unable to connect to server (SSL certificate verify failed)".

If you enable "Display invalid certificates for approval" in Options/Connect/Options/SSL, what does it show as the error in the SSL Warning dialog when you try to connect?

Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269419 30/09/21 12:33 PM
Joined: Jan 2004
Posts: 1,328
L
Loki12583 Offline
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,328
Quote
Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: platinum.libera.chat
Dns: irc.au.libera.chat, irc.ea.libera.chat, irc.eu.libera.chat, irc.ipv4.libera.chat, irc.ipv6.libera.chat, irc.libera.chat, irc.us.libera.chat, platinum.libera.chat

Valid from 02/08/2021 to 31/10/2021

SHA256 fingerprint:
25:A1:B9:14:51:27:BC:B5:89:DB:D9:0F:A8:0A:DD:89:EF:2C:4D:80:8F:69:04:45:57:FB:0C:6B:38:2E:3F:EA

Bubble-babble:
xenep-cevyc-gogud-lazor-hedut-rakab-zopeb-palam-nuryd-sefum-bofok-necyg-hehoz-rifyk-rovud-voziv-paxix

SHA1 fingerprint:
B4:D1:F5:E4:78:09:7F:F4:2E:A4:6D:A2:CC:AE:5E:20:F3:C6:C2:E5

Bubble-babble:
xotat-cetav-givub-nozoz-gorap-gurip-defyp-volod-besus-kibiv-huxux

Re: TLS verification issue on testnet.ergo.chat [Re: Loki12583] #269420 30/09/21 01:33 PM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
Summary
Certificate has expired[/quote]
Thanks, that narrows it down. The date is range is valid, so that is not the issue.

I will be releasing a beta shortly to see if it resolves the issue.

Re: TLS verification issue on testnet.ergo.chat [Re: Khaled] #269421 30/09/21 02:06 PM
Joined: Jan 2004
Posts: 1,328
L
Loki12583 Offline
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,328
I am now able to connect to the servers without a certificate warning. I did clear the extra entries from servers.ini, ran windows update (just windows defender update) and rebooted my machine, but immediately after this step it still did not work. About an hour later I was able to connect to the servers in question without making any additional changes. After the connections succeeded I reverted to the backups I made of servers.ini and mirc.ini and I could still connect without warning.

Last edited by Loki12583; 30/09/21 02:07 PM.
Re: TLS verification issue on testnet.ergo.chat [Re: Loki12583] #269422 30/09/21 02:12 PM
Joined: Feb 2011
Posts: 386
K
KindOne Offline
Pan-dimensional mouse
Offline
Pan-dimensional mouse
K
Joined: Feb 2011
Posts: 386
What is your current timezone / time?


irc.swiftirc.net #msl (mIRC Scripting Language)
Re: TLS verification issue on testnet.ergo.chat [Re: Loki12583] #269423 30/09/21 02:42 PM
Joined: May 2011
Posts: 24
S
SiD69 Offline
Ameglian cow
Offline
Ameglian cow
S
Joined: May 2011
Posts: 24
Hi,

I'm having the same issue, my certificate is valid but mIRC sees it as expired.


Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: *.donsid.net
Dns: *.donsid.net, donsid.net

Valid from 01/09/2021 to 30/11/2021

SHA256 fingerprint:
17:30:0A:AF:8B:90:6D:C8:4D:61:B7:98:DB:78:E0:BC:88:C6:55:30:73:C9:A1:1F:5E:D1:67:21:3B:73:E7:BB

Bubble-babble:
xehof-budep-zodan-berys-mufek-cyton-mykul-mumar-sydys-kihuf-besas-namoc-zolut-cinod-covol-fanor-rexox

SHA1 fingerprint:
D3:4C:97:37:05:E5:B9:6E:46:C3:9D:D8:27:53:87:35:B6:BB:5C:FA

Bubble-babble:
xugog-sahuf-luciv-huvyk-vacys-fulit-mynah-fycof-hetir-rylez-pixex


I'm using the same certificate on multiple websites and my browsers see the certificate as valid.

Regards.

Re: TLS verification issue on testnet.ergo.chat [Re: Loki12583] #269424 30/09/21 02:44 PM
Joined: Oct 2019
Posts: 5
8
8bitbubsy Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
8
Joined: Oct 2019
Posts: 5
I have the exact same issue trying to connect to my ZNC bouncer (uses LetsEncrypt) with the latest version of mIRC.
Here's some more info about the LetsEncrypt case: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Last edited by 8bitbubsy; 30/09/21 02:52 PM.
Re: TLS verification issue on testnet.ergo.chat [Re: SiD69] #269425 30/09/21 02:54 PM
Joined: Dec 2002
Posts: 5,003
Khaled Offline
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,003
I have just released a beta that -might- fix this issue. If you are seeing this issue, please try out the beta and let me know if you still see it. Thanks!

Page 1 of 2 1 2