mIRC Homepage
Posted By: Eagle_Erwin Support for SAN's in SSL-certificates - 15/06/12 08:37 AM
With mIRC 7.25, I connect to a SSL-enabled IRC-server. The IRC-server uses a completely valid and signed SSL-certificate, however the used hostname is present as a Subject Alternative Name (SAN) in the certificate. The main hostname in the certificate is different. This results in an error message about a problem with the certificate. A workaround could be to use the main hostname from the certificate, but this will not always be possible.

I don't know if this is an issue with OpenSSL or with mIRC, but the certificate should be accepted when the used hostname is present as SAN in the certificate.
Posted By: catatonic Re: Support for SAN's in SSL-certificates - 03/07/12 08:40 PM
Hi All,

I've recently come across this one too in mIRC 7.25. Please see the below image for clarification of what we mean smile.

Where it says "Dns: irc.link-net.org" it should also say "irc6.link-net.org" and "eu.link-net.org", as these three are added as subjectAltName to the ssl cert (with "irc.link-net.fi" being the CommonName).

It would be handy for mIRC to recognise subjectAltName, as users can connect to our servers via the different dns pools - region ("eu.link-net.org"), ipv6 ("irc6.link-net.org"), global ("irc.link-net.org"), actual address ("irc.link-net.fi").

Regards,
catatonic


Posted By: argv0 Re: Support for SAN's in SSL-certificates - 03/07/12 10:19 PM
The question is, how do other programs deal with SANs? For instance, how would your web browser handle this? Would it accept the cert?
Posted By: catatonic Re: Support for SAN's in SSL-certificates - 04/07/12 10:09 AM
Hi,

Most modern browsers accept SAN - there is a very basic list here. I believe Chrome & Android also support SAN.

Hope this helps,
Posted By: catatonic Re: Support for SAN's in SSL-certificates - 04/07/12 10:20 PM
Hi,

Just to expand/clarify a bit more:

- In the certificate / security alert box where it lists the subjectAltName ("Dns:"), it only lists the first SAN, instead of all of them.
- mIRC seems to only accept the first subjectAltName when connecting, ignoring all others that are listed within the cert.

Relevant RFCs seem to be rfc2818 (3.1), rfc5280 (4.1.2.6).

irssi accepts subjectAltNames correctly, from my testing, if this helps at all.

Regards,
catatonic
Posted By: Khaled Re: Support for SAN's in SSL-certificates - 17/07/12 10:55 AM
Thanks for the bug report, this issue has been fixed for the next version.
Posted By: Khaled Re: Support for SAN's in SSL-certificates - 17/07/12 10:57 AM
Thanks for the extra details :-)
Posted By: Eagle_Erwin Re: Support for SAN's in SSL-certificates - 27/07/12 08:58 AM
Great! Thanks for the fix, I'm looking forward to the next release.

Keep up the good work!
© mIRC Discussion Forums