Forums Bug Reports TLS verification issue on testnet.ergo.chat

One of my users is reporting an inability to connect to ircs://testnet.ergo.chat:6697/ with mIRC v7.66. They report that initially they were able to connect, but then a subsequent connection attempt failed. This suggests a possible issue with STS, since the server publishes the following STS token in its CAP LS 302 output: "sts=duration=86400,port=6697".

Here's the client configuration: https://i.imgur.com/EaM0yu8.png

The error is: "[05:24pm] * Unable to connect to server (SSL certificate verify failed)". (The time is 5:24 PM PDT [UTC-7] on September 29th, 2021.)

Here is the current certificate chain we are serving: https://gist.github.com/slingamn/ac339674da32ff086a2d17250f32854c

Thanks very much for your time.

Thanks for your bug report. The "SSL certificate verify failed" error message relates to the certificate verification itself. If the user enables the "Display invalid certificates for approval" in the Options/Connect/Options/SSL dialog, this should, on connect, display the SSL Warning dialog that shows the reason why the certificate failed.

The error is showing the certificate expired, even though the display shows the cert has not expired.

I'm seeing reports it's related to this: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

Will posting the updated cacert.pem solve this?

I just tried connecting to the server using a clean install of mIRC v7.66 and it didn't report any issues, so the cacert.pem that comes with v7.66 should be okay.

I've had reports from people using 7.66 with newest win10 getting this error from all libera.chat servers

/server irc.libera.chat +6697

Puzzling. I tried connecting to Libera.Chat with the v7.66 cacert.pem and it worked without any issues.

If you can find a user who is reporting this issue and ask them to install a clean copy of mIRC v7.66 in a new, empty folder in the Windows Documents folder, using the "Portable" option in the installer, and to then run mIRC from there, do they still see the issue?

You could also ask the user to post the date of their cacert.pem using:

Im seeing the same issue on my current win7 install, but installing 766 on a new win10 machine has no trouble

both of them give same reply to that as

echo ## Certificate data from Mozilla as of: Tue Jun 29 09:58:15 2021 GMT

and both have same

//echo -a $sha256(cacert.pem,2) is 1e8aec6afd4e62b3bb60f2f0ee658c5e528c88c28c160525e068edc1645e135e

Someone in channel has the problem on his existing win10 setup. He just did a fresh portable 766, and still same popup warning from the libera.chat servers. In the network support channel, nobody else using a different client than mirc is reporting this.

Right. I still haven't been able to reproduce this on Windows 7/10.

If you clear the cacert.pem file in the Options/Connect/Options/SSL dialog, so no trusted authorities file is in use, and then try connecting again to libera.chat, what happens?

If you enable "Display invalid certificates for approval", what does it show as the error in the SSL Warning dialog?

cleared it and no help. It seems too much of a coincidence to not be related to the 9/30 cert that expired.

KindOne says he doesnt have the problem, so still not sure what's the common denominator among those where it's failing. Libera admins say their cert is using the root cert that expires 2035, and that cert and the 9/30 cert both appear in my list of root certs, and i don't see how the win10 is describing those certs differently than win7 does, and the other guy here running win10 can't find any cause either

mIRC also loads certificates from the Windows certificate store, for users/organizations that use custom certificates. At this point, the only potential issue I can think of is that the Windows 7/10 certificates for some users have not been updated and/or still include the old certificate, resulting in a conflict.

After reading this thread, I decided to try connecting to my server by port the SSL port with mIRC v7.66 and I also got a connection error: "Unable to connect to server (SSL certificate verify failed)".

I have fulfilled: "ALT+O ➔ Connect ➔ Options ➔ SSL ➔ Server Certificates: Automatically accept invalid certificates // Display invalid certificates for approval ➔ Trusted authorities file: ...\cacert.pem".
In the second option, a dialog box pops up prompting you to accept the server certificate. After that, I was able to connect to the server.

It looks like all the generated certificates have somehow become invalid. Perhaps this information will help you somehow solve the connection problem that has arisen.

Hello, everybody.
I have the same problem.
OS: Win10 pro x64 + all updates
Client: mIRC v7.66
Network: irc.libera.chat:+6697

If you enable "Display invalid certificates for approval" in Options/Connect/Options/SSL, what does it show as the error in the SSL Warning dialog when you try to connect?

Summary
Certificate has expired[/quote]
Thanks, that narrows it down. The date is range is valid, so that is not the issue.

I will be releasing a beta shortly to see if it resolves the issue.

I am now able to connect to the servers without a certificate warning. I did clear the extra entries from servers.ini, ran windows update (just windows defender update) and rebooted my machine, but immediately after this step it still did not work. About an hour later I was able to connect to the servers in question without making any additional changes. After the connections succeeded I reverted to the backups I made of servers.ini and mirc.ini and I could still connect without warning.

What is your current timezone / time?

Hi,

I'm having the same issue, my certificate is valid but mIRC sees it as expired.


Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: *.donsid.net
Dns: *.donsid.net, donsid.net

Valid from 01/09/2021 to 30/11/2021

SHA256 fingerprint:
17:30:0A:AF:8B:90:6D:C8:4D:61:B7:98:DB:78:E0:BC:88:C6:55:30:73:C9:A1:1F:5E:D1:67:21:3B:73:E7:BB

Bubble-babble:
xehof-budep-zodan-berys-mufek-cyton-mykul-mumar-sydys-kihuf-besas-namoc-zolut-cinod-covol-fanor-rexox

SHA1 fingerprint:
D3:4C:97:37:05:E5:B9:6E:46:C3:9D:D8:27:53:87:35:B6:BB:5C:FA

Bubble-babble:
xugog-sahuf-luciv-huvyk-vacys-fulit-mynah-fycof-hetir-rylez-pixex


I'm using the same certificate on multiple websites and my browsers see the certificate as valid.

Regards.

I have the exact same issue trying to connect to my ZNC bouncer (uses LetsEncrypt) with the latest version of mIRC.
Here's some more info about the LetsEncrypt case: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I have just released a beta that -might- fix this issue. If you are seeing this issue, please try out the beta and let me know if you still see it. Thanks!