Bug#691895: weechat-curses: ceritificate verification fails
On 1 November 2012 15:48, Sebastien Helleu flashc...@flashtux.org wrote: On Thu, Nov 01, 2012 at 12:22:44PM +0100, Michal Suchanek wrote: Hello, On 1 November 2012 11:50, Emmanuel Bouthenot kol...@openics.org wrote: What about the result of the following command in weechat? weechat# /set *ssl_* I have these settings: 12:20:37 weechat | [network] (relay.conf) 12:20:37 weechat | relay.network.ssl_cert_key = %h/ssl/relay.pem 12:20:37 weechat | 12:20:37 weechat | [server_default] (irc.conf) 12:20:37 weechat | irc.server_default.ssl_cert = 12:20:37 weechat | irc.server_default.ssl_dhkey_size = 2048 12:20:37 weechat | irc.server_default.ssl_priorities = NORMAL 12:20:37 weechat | irc.server_default.ssl_verify = on 12:20:37 weechat | Thanks Michal Hi Michal, And what is the value of option weechat.network.gnutls_ca_file ? Is it set to /etc/ssl/certs/ca-certificates.crt (which is default value) ? I have weechat.network.gnutls_ca_file = %h/ssl/CAs.pem I do not know where that value comes from. Probably some very old default. Resetting that value fixes the problem, Thanks Michal -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691895: weechat-curses: ceritificate verification fails
On Wed, Oct 31, 2012 at 12:43:38AM +0100, Michal Suchanek wrote: Package: weechat-curses Version: 0.3.9-1 Severity: normal [...] weechat fails: 23:29:57 oftc -- | irc: reconnecting to server... 23:29:57 oftc -- | irc: connecting to server irc.oftc.net/6697 (SSL) via socks5 proxy 10.10.10.11/9050... 23:30:02 oftc -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange 23:30:02 oftc =!= | gnutls: peer's certificate is NOT trusted 23:30:02 oftc =!= | gnutls: peer's certificate issuer is unknown 23:30:02 oftc -- | gnutls: receiving 4 certificates [...] It works fine for me with a setup very close to yours: 11:42:06oftc -- | irc: connecting to server irc.oftc.net/6697 (SSL) via socks5 proxy 127.0.0.1/... 11:42:06oftc -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange 11:42:07oftc -- | gnutls: peer's certificate is trusted 11:42:07oftc -- | gnutls: receiving 4 certificates 11:42:07oftc -- | - certificate[1] info: 11:42:07oftc -- |- subject `CN=kinetic.oftc.net', issuer `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-10-03 19:44:39 UTC', expires `2013-10-03 19:44:39 UTC', SHA-1 fingerprint | `bd06ae699d8602a0af92f81d11d900c77fc062a4' 11:42:07oftc -- | - certificate[2] info: 11:42:07oftc -- |- subject `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', issuer `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed using RSA-SHA1, activated | `2008-05-25 00:10:59 UTC', expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint `e45b2de35faec3e999209e34f7ce4c05b6adb73c' 11:42:07oftc -- | - certificate[3] info: 11:42:07oftc -- |- subject `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', RSA key 2048 bits, signed using | RSA-SHA1, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23 23:53:25 UTC', SHA-1 fingerprint `27361360dd639f5ee74b07468345516fc0f052f1' 11:42:07oftc -- | - certificate[4] info: 11:42:07oftc -- |- subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', RSA | key 4096 bits, signed using RSA-SHA1, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint `af70884383820215cd61c6bcecfd3724a990431c' 11:42:07oftc -- | irc: connected to irc.oftc.net/6697 (?) What about the result of the following command in weechat? weechat# /set *ssl_* Regards, -- Emmanuel Bouthenot mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3 xmpp: kol...@im.openics.org irc: kolter@{freenode,oftc} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691895: weechat-curses: ceritificate verification fails
Hello, On 1 November 2012 11:50, Emmanuel Bouthenot kol...@openics.org wrote: What about the result of the following command in weechat? weechat# /set *ssl_* I have these settings: 12:20:37 weechat | [network] (relay.conf) 12:20:37 weechat | relay.network.ssl_cert_key = %h/ssl/relay.pem 12:20:37 weechat | 12:20:37 weechat | [server_default] (irc.conf) 12:20:37 weechat | irc.server_default.ssl_cert = 12:20:37 weechat | irc.server_default.ssl_dhkey_size = 2048 12:20:37 weechat | irc.server_default.ssl_priorities = NORMAL 12:20:37 weechat | irc.server_default.ssl_verify = on 12:20:37 weechat | Thanks Michal -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691895: weechat-curses: ceritificate verification fails
On Thu, Nov 01, 2012 at 12:22:44PM +0100, Michal Suchanek wrote: Hello, On 1 November 2012 11:50, Emmanuel Bouthenot kol...@openics.org wrote: What about the result of the following command in weechat? weechat# /set *ssl_* I have these settings: 12:20:37 weechat | [network] (relay.conf) 12:20:37 weechat | relay.network.ssl_cert_key = %h/ssl/relay.pem 12:20:37 weechat | 12:20:37 weechat | [server_default] (irc.conf) 12:20:37 weechat | irc.server_default.ssl_cert = 12:20:37 weechat | irc.server_default.ssl_dhkey_size = 2048 12:20:37 weechat | irc.server_default.ssl_priorities = NORMAL 12:20:37 weechat | irc.server_default.ssl_verify = on 12:20:37 weechat | Thanks Michal Hi Michal, And what is the value of option weechat.network.gnutls_ca_file ? Is it set to /etc/ssl/certs/ca-certificates.crt (which is default value) ? -- Cordialement / Best regards Sébastien. web: flashtux.org / weechat.org mail: flashc...@flashtux.org irc: FlashCode @ irc.freenode.netxmpp: flashc...@jabber.fr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691895: weechat-curses: ceritificate verification fails
Package: weechat-curses Version: 0.3.9-1 Severity: normal Hello, I don't really see where and how weechat verifies the certificate. A test program succeeds: 142 certificates loaded from /etc/ssl/certs/ca-certificates.crt Connected to irc.oftc.net:6697 subject `CN=kilo.oftc.net', issuer `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-06-06 14:12:07 UTC', expires `2013-06-06 14:12:07 UTC', SHA-1 fingerprint `e900dd5d9fcb274b4816ce418f22fb6efc73caab' subject `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', issuer `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-05-25 00:10:59 UTC', expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint `e45b2de35faec3e999209e34f7ce4c05b6adb73c' subject `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23 23:53:25 UTC', SHA-1 fingerprint `27361360dd639f5ee74b07468345516fc0f052f1' subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', RSA key 4096 bits, signed using RSA-SHA1, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint `af70884383820215cd61c6bcecfd3724a990431c' Connected. weechat fails: 23:29:57 oftc -- | irc: reconnecting to server... 23:29:57 oftc -- | irc: connecting to server irc.oftc.net/6697 (SSL) via socks5 proxy 10.10.10.11/9050... 23:30:02 oftc -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange 23:30:02 oftc =!= | gnutls: peer's certificate is NOT trusted 23:30:02 oftc =!= | gnutls: peer's certificate issuer is unknown 23:30:02 oftc -- | gnutls: receiving 4 certificates 23:30:02 oftc -- | - certificate[1] info: 23:30:02 oftc -- |- subject `CN=kilo.oftc.net', issuer `O=Open and Free Technology Community,OU=certification authority for | irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-06-06 14:12:07 UTC', | expires `2013-06-06 14:12:07 UTC', SHA-1 fingerprint `e900dd5d9fcb274b4816ce418f22fb6efc73caab' 23:30:02 oftc -- | - certificate[2] info: 23:30:02 oftc -- |- subject `O=Open and Free Technology Community,OU=certification authority for irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', | issuer `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, | signed using RSA-SHA1, activated `2008-05-25 00:10:59 UTC', expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint | `e45b2de35faec3e999209e34f7ce4c05b6adb73c' 23:30:02 oftc -- | - certificate[3] info: 23:30:02 oftc -- |- subject `O=Open and Free Technology Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', issuer | `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate | Authority,EMAIL=hostmas...@spi-inc.org', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-05-24 23:53:25 UTC', expires | `2013-05-23 23:53:25 UTC', SHA-1 fingerprint `27361360dd639f5ee74b07468345516fc0f052f1' 23:30:02 oftc -- | - certificate[4] info: 23:30:02 oftc -- |- subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public Interest,OU=hostmaster,CN=Certificate | Authority,EMAIL=hostmas...@spi-inc.org', issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public | Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', RSA key 4096 bits, signed using RSA-SHA1, activated | `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint `af70884383820215cd61c6bcecfd3724a990431c' 23:30:03 oftc -- | irc: connected to irc.oftc.net/6697 (?) -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (990, 'stable'), (500, 'testing'), (400, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash