mIRC Homepage

TLS verification issue on testnet.ergo.chat

Posted By: slingamn

TLS verification issue on testnet.ergo.chat - 30/09/21 12:38 AM

One of my users is reporting an inability to connect to ircs://testnet.ergo.chat:6697/ with mIRC v7.66. They report that initially they were able to connect, but then a subsequent connection attempt failed. This suggests a possible issue with STS, since the server publishes the following STS token in its CAP LS 302 output: "sts=duration=86400,port=6697".

Here's the client configuration: https://i.imgur.com/EaM0yu8.png

The error is: "[05:24pm] * Unable to connect to server (SSL certificate verify failed)". (The time is 5:24 PM PDT [UTC-7] on September 29th, 2021.)

Here is the current certificate chain we are serving: https://gist.github.com/slingamn/ac339674da32ff086a2d17250f32854c

Thanks very much for your time.
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 06:43 AM

Thanks for your bug report. The "SSL certificate verify failed" error message relates to the certificate verification itself. If the user enables the "Display invalid certificates for approval" in the Options/Connect/Options/SSL dialog, this should, on connect, display the SSL Warning dialog that shows the reason why the certificate failed.
Posted By: maroon

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 07:20 AM

The error is showing the certificate expired, even though the display shows the cert has not expired.

I'm seeing reports it's related to this: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

Will posting the updated cacert.pem solve this?
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 07:51 AM

I just tried connecting to the server using a clean install of mIRC v7.66 and it didn't report any issues, so the cacert.pem that comes with v7.66 should be okay.
Posted By: maroon

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 07:59 AM

I've had reports from people using 7.66 with newest win10 getting this error from all libera.chat servers

/server irc.libera.chat +6697
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 08:08 AM

Puzzling. I tried connecting to Libera.Chat with the v7.66 cacert.pem and it worked without any issues.

If you can find a user who is reporting this issue and ask them to install a clean copy of mIRC v7.66 in a new, empty folder in the Windows Documents folder, using the "Portable" option in the installer, and to then run mIRC from there, do they still see the issue?

You could also ask the user to post the date of their cacert.pem using:

Code
//echo $read($mircdir $+ cacert.pem,w,*Certificate data*)
Posted By: maroon

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 08:39 AM

Im seeing the same issue on my current win7 install, but installing 766 on a new win10 machine has no trouble

both of them give same reply to that as

echo ## Certificate data from Mozilla as of: Tue Jun 29 09:58:15 2021 GMT

and both have same

//echo -a $sha256(cacert.pem,2) is 1e8aec6afd4e62b3bb60f2f0ee658c5e528c88c28c160525e068edc1645e135e

Someone in channel has the problem on his existing win10 setup. He just did a fresh portable 766, and still same popup warning from the libera.chat servers. In the network support channel, nobody else using a different client than mirc is reporting this.
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 09:50 AM

Right. I still haven't been able to reproduce this on Windows 7/10.

If you clear the cacert.pem file in the Options/Connect/Options/SSL dialog, so no trusted authorities file is in use, and then try connecting again to libera.chat, what happens?

If you enable "Display invalid certificates for approval", what does it show as the error in the SSL Warning dialog?
Posted By: maroon

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 10:08 AM

cleared it and no help. It seems too much of a coincidence to not be related to the 9/30 cert that expired.

KindOne says he doesnt have the problem, so still not sure what's the common denominator among those where it's failing. Libera admins say their cert is using the root cert that expires 2035, and that cert and the 9/30 cert both appear in my list of root certs, and i don't see how the win10 is describing those certs differently than win7 does, and the other guy here running win10 can't find any cause either
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 10:19 AM

mIRC also loads certificates from the Windows certificate store, for users/organizations that use custom certificates. At this point, the only potential issue I can think of is that the Windows 7/10 certificates for some users have not been updated and/or still include the old certificate, resulting in a conflict.
Posted By: Epic

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 11:14 AM

After reading this thread, I decided to try connecting to my server by port the SSL port with mIRC v7.66 and I also got a connection error: "Unable to connect to server (SSL certificate verify failed)".

I have fulfilled: "ALT+OConnectOptionsSSLServer Certificates: Automatically accept invalid certificates // Display invalid certificates for approvalTrusted authorities file: ...\cacert.pem".
In the second option, a dialog box pops up prompting you to accept the server certificate. After that, I was able to connect to the server.

It looks like all the generated certificates have somehow become invalid. Perhaps this information will help you somehow solve the connection problem that has arisen.
Posted By: IHDC3600

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 11:28 AM

Hello, everybody.
I have the same problem.
OS: Win10 pro x64 + all updates
Client: mIRC v7.66
Network: irc.libera.chat:+6697
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 12:02 PM

Quote
"Unable to connect to server (SSL certificate verify failed)".

If you enable "Display invalid certificates for approval" in Options/Connect/Options/SSL, what does it show as the error in the SSL Warning dialog when you try to connect?
Posted By: Loki12583

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 12:33 PM

Quote
Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: platinum.libera.chat
Dns: irc.au.libera.chat, irc.ea.libera.chat, irc.eu.libera.chat, irc.ipv4.libera.chat, irc.ipv6.libera.chat, irc.libera.chat, irc.us.libera.chat, platinum.libera.chat

Valid from 02/08/2021 to 31/10/2021

SHA256 fingerprint:
25:A1:B9:14:51:27:BC:B5:89:DB:D9:0F:A8:0A:DD:89:EF:2C:4D:80:8F:69:04:45:57:FB:0C:6B:38:2E:3F:EA

Bubble-babble:
xenep-cevyc-gogud-lazor-hedut-rakab-zopeb-palam-nuryd-sefum-bofok-necyg-hehoz-rifyk-rovud-voziv-paxix

SHA1 fingerprint:
B4:D1:F5:E4:78:09:7F:F4:2E:A4:6D:A2:CC:AE:5E:20:F3:C6:C2:E5

Bubble-babble:
xotat-cetav-givub-nozoz-gorap-gurip-defyp-volod-besus-kibiv-huxux
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 01:33 PM

Summary
Certificate has expired[/quote]
Thanks, that narrows it down. The date is range is valid, so that is not the issue.

I will be releasing a beta shortly to see if it resolves the issue.
Posted By: Loki12583

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 02:06 PM

I am now able to connect to the servers without a certificate warning. I did clear the extra entries from servers.ini, ran windows update (just windows defender update) and rebooted my machine, but immediately after this step it still did not work. About an hour later I was able to connect to the servers in question without making any additional changes. After the connections succeeded I reverted to the backups I made of servers.ini and mirc.ini and I could still connect without warning.
Posted By: KindOne

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 02:12 PM

What is your current timezone / time?
Posted By: SiD69

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 02:42 PM

Hi,

I'm having the same issue, my certificate is valid but mIRC sees it as expired.


Summary
Certificate has expired

Issuer
Organization: Let's Encrypt
Host: R3
Country: US

Subject
Host: *.donsid.net
Dns: *.donsid.net, donsid.net

Valid from 01/09/2021 to 30/11/2021

SHA256 fingerprint:
17:30:0A:AF:8B:90:6D:C8:4D:61:B7:98:DB:78:E0:BC:88:C6:55:30:73:C9:A1:1F:5E:D1:67:21:3B:73:E7:BB

Bubble-babble:
xehof-budep-zodan-berys-mufek-cyton-mykul-mumar-sydys-kihuf-besas-namoc-zolut-cinod-covol-fanor-rexox

SHA1 fingerprint:
D3:4C:97:37:05:E5:B9:6E:46:C3:9D:D8:27:53:87:35:B6:BB:5C:FA

Bubble-babble:
xugog-sahuf-luciv-huvyk-vacys-fulit-mynah-fycof-hetir-rylez-pixex


I'm using the same certificate on multiple websites and my browsers see the certificate as valid.

Regards.
Posted By: 8bitbubsy

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 02:44 PM

I have the exact same issue trying to connect to my ZNC bouncer (uses LetsEncrypt) with the latest version of mIRC.
Here's some more info about the LetsEncrypt case: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 02:54 PM

I have just released a beta that -might- fix this issue. If you are seeing this issue, please try out the beta and let me know if you still see it. Thanks!
Posted By: 8bitbubsy

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 03:09 PM

The beta version fixed the issue for me, thanks!
Posted By: SiD69

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 03:21 PM

Originally Posted by Khaled
I have just released a beta that -might- fix this issue. If you are seeing this issue, please try out the beta and let me know if you still see it. Thanks!



It works perfectly with the beta.

Thank you!
Posted By: Epic

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 03:28 PM

Originally Posted by Khaled
If you enable "Display invalid certificates for approval" in Options/Connect/Options/SSL, what does it show as the error in the SSL Warning dialog when you try to connect?

A window like this opens:

    [Linked Image from i.ibb.co]

I click on the "OK" button and a new attempt to connect to the server starts:

Code
* [10101] Host disconnected
* Disconnected
* Connect retry #2 irc.epicnet.ru (+6668)
*** Connecting to IRC chat ...

After that, all subsequent connections to the server occur without failures and errors :-]

The test was done on mIRC v7.66 (not beta).
Posted By: westor

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 03:36 PM

Maybe is related on this? https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1
Posted By: maroon

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 04:50 PM

Yes Epic, that works for that 1 server's certificate, but you'd get that for each of the servers connected to the network's round-robin address, and would probably get it again the next time that server changed their certificate.

The beta fixes the problem for me at least.

For those using older mIRC versions, I encountered this also with version 7.56 too. For versions prior to that, Libera.chat doesnt want to let it use an SSL connection because of using TLSv1.1. At another network which allows connection from 7.55 and earlier, it also had the same certificate warning there too.
Posted By: Khaled

Re: TLS verification issue on testnet.ergo.chat - 30/09/21 08:56 PM

Quote
It works perfectly with the beta.

Good to hear. This change will be in the next release.
© 2021 mIRC Discussion Forums