Re: [FWD] cert problem

Thu, 07 Oct 2010 10:21:17 -0700 

On 07-10-2010 17:27, Lutz Jaenicke wrote:

Forwarded to openssl-users for public discussion.

Best regards,
        Lutz

----- Forwarded message from Taint<[email protected]>  -----

Date: Thu, 7 Oct 2010 10:48:15 -0400
Subject: cert problem
From: Taint<[email protected]>
To: [email protected]

I have been trying to connect to more than one ssl enabled network on irc
and I get an error saying invalid cert. The people at x-chat tell me that it
is not on their end but on the openssl end that the root certificates are
not present or something to that effect. Do you know when and if there will
be an update on this? Thanks


http://code.google.com/p/xchat-wdk/issues/detail?id=18


This is not OpenSSL's fault, it is a bug in x-chat.  OpenSSL has no
builtin list, but leaves the decision on what list should be used and
how to configure that list up to the application, in this case x-chat.

If you follow the links to other discussion(s) on the above
code.google.com page you will see that:

1. The x-chat project has already accepted this as a bug in x-chat.

2. The copy of OpenSSL built into x-chat for Windows has been
(stupidly) configured to look for the list of certificates in a silly
place ("C:\usr\local\ssl\cert\")

3. The x-chat code (unlike some other OpenSSL based applications) does
not ask the user what to do if the irc chat node has a certificate
signed by an unlisted (in the stupid location) CA (this includes any
self-signed nodes).  Other projects, such as subversion prompts the
user if he/she wants to trust that certificate "This time" or
"Permanently", and acts accordingly.

4. To put the needed Windows default certificates in the silly place
where x-chat looks for certificates, "export" each of the trusted roots
listed by Windows into the silly location above, then using an
openssl.exe based on the same version of openssl as the DLL in x-chat
to compute the subdir name for each certificate (The name is a checksum
of parts of the certificate).  The x-chat project should really include
code to do this (or a similar action) in its installer, but until then
you will have to do it manually.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to