I'm trying to persuade mIRC to connect to the newly SSL'd irc.theonering.net:+6697 and verify the site's signed certificate correctly. I've signed the server's key using cacert.org to acquire a vaguely trustworthy certificate for the server:
# openssl x509 -noout -subject -issuer -in server.cert.pem
subject= /CN=irc.theonering.net
issuer= /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/Email=support@cacert.org
On unix machines, I can add the root certificate for cacert.org from
http://www.cacert.org/cacert.cer to /usr/local/ssl/certs, rehash the links using c_rehash, and connect using xchat, irssi, openssl s_client etc. which verify the server's cert as being valid.
When running mIRC 6.14 with the Shining Light Productions OpenSSL distribution, connecting to the server without any explicit trusted authority specified in mIRC SSL settings yields "Unable to get issuer certificate":
Issued to:
Host: irc.theonering.net
Issued by:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org
Valid from 06/04/2004 to 03/10/2004
- which all looks sane and makes perfect sense.
However, downloading cacert's root certificate from
http://cacert.org/cacert.cer, placing it in c:\program files\mirc\cacert.pem and referring to it in mIRC's SSL settings as the Trusted Authorities File, verifies that the certificate is now from a trusted certifying authority, but yields "The name on the security certificate is invalid or does not match the name of the server":
Issued to:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org
Issued by:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org
Valid from 30/03/2003 to 29/03/2033
As you can see, it appears that mIRC has somehow internally overwritten the Subject (Issued to:) DN with that of the trusted authority's - hence the name mismatch error. This behaviour then persists until mIRC is restarted, regardless of whether the TA field is subsequently cleared.
The same behaviour occurs with the only other server I can find which has bothered to not selfsign its certificate:
# openssl s_client -host ircs.segfault.net -port 994 -showcerts -CAfile /usr/local/src/irc/ircd/ssl/segfault-root-ca.pem
depth=1 /C=DE/O=Segfault.net Consortium/OU=SEGFAULT-CERT/CN=SEGFAULT Toplevel Certification Authority/Email=ca@segfault.net
verify return:1
depth=0 /C=EU/ST=Cyperspace/L=Cypertown/O=segfault.net/OU=IRCS/CN=ircs.segfault.net/CN=ircs.ircsnet.net/Email=root@segfault.net
verify return:1
etc.
using the root certificate at
http://www.ircsnet.net/old/segfault-root-ca.pemIs this a bug, or am I doing something profoundly stupid?
Is there a way to add trusted certificates to OpenSSL's /usr/local/ssl/certs equivalent under Windows? The libraries appear to have been compiled with openssldir=/usr/local/ssl, which seems to be pretty crippling (unless being run under cygwin) - placing cert hashes in c:\ssl\certs, c:\openssl\ssl\certs, c:\usr\local\ssl\certs etc. doesn't seem to work.
many thanks in advance,
A.
