mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
Joined: Mar 2020
Posts: 2
S
Bowl of petunias
OP Offline
Bowl of petunias
S
Joined: Mar 2020
Posts: 2
One of my users is reporting an inability to connect to ircs://testnet.ergo.chat:6697/ with mIRC v7.66. They report that initially they were able to connect, but then a subsequent connection attempt failed. This suggests a possible issue with STS, since the server publishes the following STS token in its CAP LS 302 output: "sts=duration=86400,port=6697".

Here's the client configuration: https://i.imgur.com/EaM0yu8.png

The error is: "[05:24pm] * Unable to connect to server (SSL certificate verify failed)". (The time is 5:24 PM PDT [UTC-7] on September 29th, 2021.)

Here is the current certificate chain we are serving: https://gist.github.com/slingamn/ac339674da32ff086a2d17250f32854c

Thanks very much for your time.


Co-maintainer of the Oragono IRC server
Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Thanks for your bug report. The "SSL certificate verify failed" error message relates to the certificate verification itself. If the user enables the "Display invalid certificates for approval" in the Options/Connect/Options/SSL dialog, this should, on connect, display the SSL Warning dialog that shows the reason why the certificate failed.

Joined: Jan 2004
Posts: 2,127
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 2,127
The error is showing the certificate expired, even though the display shows the cert has not expired.

I'm seeing reports it's related to this: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

Will posting the updated cacert.pem solve this?

Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
I just tried connecting to the server using a clean install of mIRC v7.66 and it didn't report any issues, so the cacert.pem that comes with v7.66 should be okay.

Joined: Jan 2004
Posts: 2,127
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 2,127
I've had reports from people using 7.66 with newest win10 getting this error from all libera.chat servers

/server irc.libera.chat +6697

Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Puzzling. I tried connecting to Libera.Chat with the v7.66 cacert.pem and it worked without any issues.

If you can find a user who is reporting this issue and ask them to install a clean copy of mIRC v7.66 in a new, empty folder in the Windows Documents folder, using the "Portable" option in the installer, and to then run mIRC from there, do they still see the issue?

You could also ask the user to post the date of their cacert.pem using:

Code
//echo $read($mircdir $+ cacert.pem,w,*Certificate data*)

Last edited by Khaled; 30/09/21 08:22 AM.
Joined: Jan 2004
Posts: 2,127
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 2,127
Im seeing the same issue on my current win7 install, but installing 766 on a new win10 machine has no trouble

both of them give same reply to that as

echo ## Certificate data from Mozilla as of: Tue Jun 29 09:58:15 2021 GMT

and both have same

//echo -a $sha256(cacert.pem,2) is 1e8aec6afd4e62b3bb60f2f0ee658c5e528c88c28c160525e068edc1645e135e

Someone in channel has the problem on his existing win10 setup. He just did a fresh portable 766, and still same popup warning from the libera.chat servers. In the network support channel, nobody else using a different client than mirc is reporting this.

Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Right. I still haven't been able to reproduce this on Windows 7/10.

If you clear the cacert.pem file in the Options/Connect/Options/SSL dialog, so no trusted authorities file is in use, and then try connecting again to libera.chat, what happens?

If you enable "Display invalid certificates for approval", what does it show as the error in the SSL Warning dialog?

Last edited by Khaled; 30/09/21 10:14 AM.
Joined: Jan 2004
Posts: 2,127
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 2,127
cleared it and no help. It seems too much of a coincidence to not be related to the 9/30 cert that expired.

KindOne says he doesnt have the problem, so still not sure what's the common denominator among those where it's failing. Libera admins say their cert is using the root cert that expires 2035, and that cert and the 9/30 cert both appear in my list of root certs, and i don't see how the win10 is describing those certs differently than win7 does, and the other guy here running win10 can't find any cause either

Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
mIRC also loads certificates from the Windows certificate store, for users/organizations that use custom certificates. At this point, the only potential issue I can think of is that the Windows 7/10 certificates for some users have not been updated and/or still include the old certificate, resulting in a conflict.

Joined: Jan 2012
Posts: 299
Fjord artisan
Offline
Fjord artisan
Joined: Jan 2012
Posts: 299
After reading this thread, I decided to try connecting to my server by port the SSL port with mIRC v7.66 and I also got a connection error: "Unable to connect to server (SSL certificate verify failed)".

I have fulfilled: "ALT+OConnectOptionsSSLServer Certificates: Automatically accept invalid certificates // Display invalid certificates for approvalTrusted authorities file: ...\cacert.pem".
In the second option, a dialog box pops up prompting you to accept the server certificate. After that, I was able to connect to the server.

It looks like all the generated certificates have somehow become invalid. Perhaps this information will help you somehow solve the connection problem that has arisen.


🌐 http://forum.epicnet.ru 📜 irc.epicnet.ru 6667 #Code | mIRC scripts, help, discuss, examples
Joined: Jan 2017
Posts: 4
I
Self-satisfied door
Offline
Self-satisfied door
I
Joined: Jan 2017
Posts: 4
Hello, everybody.
I have the same problem.
OS: Win10 pro x64 + all updates
Client: mIRC v7.66
Network: irc.libera.chat:+6697

Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Quote
"Unable to connect to server (SSL certificate verify failed)".

If you enable "Display invalid certificates for approval" in Options/Connect/Options/SSL, what does it show as the error in the SSL Warning dialog when you try to connect?

Joined: Jan 2004
Posts: 1,358
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
Quote
Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: platinum.libera.chat
Dns: irc.au.libera.chat, irc.ea.libera.chat, irc.eu.libera.chat, irc.ipv4.libera.chat, irc.ipv6.libera.chat, irc.libera.chat, irc.us.libera.chat, platinum.libera.chat

Valid from 02/08/2021 to 31/10/2021

SHA256 fingerprint:
25:A1:B9:14:51:27:BC:B5:89:DB:D9:0F:A8:0A:DD:89:EF:2C:4D:80:8F:69:04:45:57:FB:0C:6B:38:2E:3F:EA

Bubble-babble:
xenep-cevyc-gogud-lazor-hedut-rakab-zopeb-palam-nuryd-sefum-bofok-necyg-hehoz-rifyk-rovud-voziv-paxix

SHA1 fingerprint:
B4:D1:F5:E4:78:09:7F:F4:2E:A4:6D:A2:CC:AE:5E:20:F3:C6:C2:E5

Bubble-babble:
xotat-cetav-givub-nozoz-gorap-gurip-defyp-volod-besus-kibiv-huxux

Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Summary
Certificate has expired[/quote]
Thanks, that narrows it down. The date is range is valid, so that is not the issue.

I will be releasing a beta shortly to see if it resolves the issue.

Joined: Jan 2004
Posts: 1,358
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
I am now able to connect to the servers without a certificate warning. I did clear the extra entries from servers.ini, ran windows update (just windows defender update) and rebooted my machine, but immediately after this step it still did not work. About an hour later I was able to connect to the servers in question without making any additional changes. After the connections succeeded I reverted to the backups I made of servers.ini and mirc.ini and I could still connect without warning.

Last edited by Loki12583; 30/09/21 02:07 PM.
Joined: Feb 2011
Posts: 448
K
Pan-dimensional mouse
Offline
Pan-dimensional mouse
K
Joined: Feb 2011
Posts: 448
What is your current timezone / time?

Joined: May 2011
Posts: 24
S
Ameglian cow
Offline
Ameglian cow
S
Joined: May 2011
Posts: 24
Hi,

I'm having the same issue, my certificate is valid but mIRC sees it as expired.


Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: *.donsid.net
Dns: *.donsid.net, donsid.net

Valid from 01/09/2021 to 30/11/2021

SHA256 fingerprint:
17:30:0A:AF:8B:90:6D:C8:4D:61:B7:98:DB:78:E0:BC:88:C6:55:30:73:C9:A1:1F:5E:D1:67:21:3B:73:E7:BB

Bubble-babble:
xehof-budep-zodan-berys-mufek-cyton-mykul-mumar-sydys-kihuf-besas-namoc-zolut-cinod-covol-fanor-rexox

SHA1 fingerprint:
D3:4C:97:37:05:E5:B9:6E:46:C3:9D:D8:27:53:87:35:B6:BB:5C:FA

Bubble-babble:
xugog-sahuf-luciv-huvyk-vacys-fulit-mynah-fycof-hetir-rylez-pixex


I'm using the same certificate on multiple websites and my browsers see the certificate as valid.

Regards.

Joined: Oct 2019
Posts: 5
8
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
8
Joined: Oct 2019
Posts: 5
I have the exact same issue trying to connect to my ZNC bouncer (uses LetsEncrypt) with the latest version of mIRC.
Here's some more info about the LetsEncrypt case: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Last edited by 8bitbubsy; 30/09/21 02:52 PM.
Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
I have just released a beta that -might- fix this issue. If you are seeing this issue, please try out the beta and let me know if you still see it. Thanks!

Page 1 of 2 1 2

Link Copied to Clipboard