mIRC Homepage

Possible issue verifying SSL certificates

Posted By: KarlR

Possible issue verifying SSL certificates - 04/08/10 06:54 PM

Hi,

I have encountered what might be an issue when connecting to an IRC server using a signed certificate (where mIRC trusts the signing authority).

When connecting while trusting the authority, mIRC returns the following details for the certificate:

Code:
Issued to:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org

Issued by:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org

Valid from 30/03/2003 to 29/03/2033


When not trusting the authority, mIRC returns this:

Code:
Issued to:
Host: lotus.ca.us.swiftirc.net

Issued by:
Organization: Root CA
Unit: http://www.cacert.org
Host: CA Cert Signing Authority
Email: support@cacert.org

Valid from 04/08/2010 to 31/01/2011


mIRC thus alternates between complaining about the server name not matching, and being unable to get the local issuer certificate. This problem appears to occur with servers with signed by the same CA that were properly validated with an earlier version of mIRC.

Interrogating the server certificate using the same box/OpenSSL version as mIRC returns this:

Code:
c:\OpenSSL\bin>openssl verify -CAfile c:\users\karl\Documents\keys\CACertRoot.cer c:\Users\karl\Documents\lotus.pem
c:\Users\karl\Documents\lotus.pem: OK


Code:
c:\OpenSSL\bin>openssl x509 -in c:\users\karl\Documents\lotus.pem -issuer -subject 
issuer= /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
subject= /CN=lotus.ca.us.swiftirc.net
Posted By: irc_user

Re: Possible issue verifying SSL certificates - 15/02/11 06:29 PM

Hi,

i can confirm this problem and it still exists in current version v7.17.
Please fix it.
Posted By: imprim

Re: Possible issue verifying SSL certificates - 21/02/11 11:20 PM

Bump!

I can confirm that this bug still exists.

This is very serious issue, because it affects one of the most popular IRC networks: FreeNode.

Please fix it!
Posted By: imprim

Re: Possible issue verifying SSL certificates - 25/02/11 01:31 PM

I can confirm that updating to v7.18 (current beta) does not fix this (try connecting to chat.freenode.net:+7000)
Posted By: irc_user

Re: Possible issue verifying SSL certificates - 25/02/11 04:01 PM

Originally Posted By: imprim
I can confirm that updating to v7.18 (current beta) does not fix this (try connecting to chat.freenode.net:+7000)

Yes, only mirc v6.35 works fine.
Posted By: Khaled

Re: Possible issue verifying SSL certificates - 25/02/11 09:22 PM

Thanks for the feedback. There was a bug in mIRC v6.35 that caused it to incorrectly validate the certificate in some situations. The method was changed in v7.x, however it looks like the validation is still not being performed correctly.

I have made another change that seems to resolve this issue. Now, when I try to connect to chat.freenode.net:+7000, mIRC will report:

"unable to get local issuer certificate"
"the security certificate date is valid"
"The security certificate has a valid name matching the name of the server."

This seems to be correct, since mIRC cannot validate the certificate without a Trusted Authorities file.

If I then open the mIRC Options->Connect->Options->SSL dialog and load UTN-USERFirst-Hardware.pem (exported from the Windows certificates dialog and converted from DER to PEM format) as the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.

This change should be in the next version.
Posted By: imprim

Re: Possible issue verifying SSL certificates - 26/02/11 09:50 AM

Originally Posted By: Khaled
I have made another change that seems to resolve this issue.


Perfect! Thank you smile

Originally Posted By: Khaled

If I then open the mIRC Options->Connect->Options->SSL dialog and load UTN-USERFirst-Hardware.pem (exported from the Windows certificates dialog and converted from DER to PEM format) as the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.


To avoid exporting certificates by hand one can, for example, use Mozilla's certdata file http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 , which is conveniently converted to PEM format by the kind folks at http://curl.haxx.se/docs/caextract.html .

Maybe mIRC can ship this file to ease life of its SSL-savvy users? It seems that MPL only applies to the file (and not to the product shipping it), but IANAL.
Posted By: irc_user

Re: Possible issue verifying SSL certificates - 27/02/11 11:31 AM

Originally Posted By: Khaled
I have made another change that seems to resolve this issue.

If I then open the mIRC Options->Connect->Options->SSL dialog and load [...] the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.

This change should be in the next version.

Thanks for fixing this bug. wink
Posted By: Vilius

Re: Possible issue verifying SSL certificates - 02/03/11 06:16 PM

Originally Posted By: imprim
Originally Posted By: Khaled
I have made another change that seems to resolve this issue.


Perfect! Thank you smile

Originally Posted By: Khaled

If I then open the mIRC Options->Connect->Options->SSL dialog and load UTN-USERFirst-Hardware.pem (exported from the Windows certificates dialog and converted from DER to PEM format) as the Trusted Authorities file and then connect again to the server, mIRC does not display the warning dialog and connects without any issues, indicating that it was able to validate the certificate.


To avoid exporting certificates by hand one can, for example, use Mozilla's certdata file http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 , which is conveniently converted to PEM format by the kind folks at http://curl.haxx.se/docs/caextract.html .

Maybe mIRC can ship this file to ease life of its SSL-savvy users? It seems that MPL only applies to the file (and not to the product shipping it), but IANAL.


Please NO. mIRC (as every other program on the system) should use Windows CA storage/CryptoAPI. Every Windows OS has one and there is no need to duplicate the functionality.
Posted By: Khaled

Re: Possible issue verifying SSL certificates - 03/03/11 11:31 AM

I have added support for the Windows certificate store, so mIRC now loads the trusted and intermediate authorities for use in validating certificates. Looking through the Windows Certificates dialog, I notice that Windows XP has a large number of trusted and intermediate authorities, whereas Windows 7 has very few, which means that freenode users with Windows 7 will still need to download the Mozilla cacert.pm file in order to connect without seeing a certificate warning.
© 2021 mIRC Discussion Forums