Bug#691895: weechat-curses: ceritificate verification fails

2012-11-02 Thread Michal Suchanek 
On 1 November 2012 15:48, Sebastien Helleu flashc...@flashtux.org wrote:
 On Thu, Nov 01, 2012 at 12:22:44PM +0100, Michal Suchanek wrote:
 Hello,

 On 1 November 2012 11:50, Emmanuel Bouthenot kol...@openics.org wrote:

 
  What about the result of the following command in weechat?
 
  weechat# /set *ssl_*
 

 I have these settings:

 12:20:37  weechat | [network] (relay.conf)
 12:20:37  weechat |   relay.network.ssl_cert_key = %h/ssl/relay.pem
 12:20:37  weechat |
 12:20:37  weechat | [server_default] (irc.conf)
 12:20:37  weechat |   irc.server_default.ssl_cert = 
 12:20:37  weechat |   irc.server_default.ssl_dhkey_size = 2048
 12:20:37  weechat |   irc.server_default.ssl_priorities = NORMAL
 12:20:37  weechat |   irc.server_default.ssl_verify = on
 12:20:37  weechat |

 Thanks

 Michal

 Hi Michal,

 And what is the value of option weechat.network.gnutls_ca_file ?
 Is it set to /etc/ssl/certs/ca-certificates.crt (which is default
 value) ?


I have

weechat.network.gnutls_ca_file = %h/ssl/CAs.pem

I do not know where that value comes from. Probably some very old default.

Resetting that value fixes the problem,

Thanks

Michal


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691895: weechat-curses: ceritificate verification fails

2012-11-01 Thread Emmanuel Bouthenot 

On Wed, Oct 31, 2012 at 12:43:38AM +0100, Michal Suchanek wrote:
 Package: weechat-curses
 Version: 0.3.9-1
 Severity: normal
[...]

 weechat fails:
 
 23:29:57 oftc  -- | irc: reconnecting to server...
 23:29:57 oftc  -- | irc: connecting to server irc.oftc.net/6697 (SSL) via 
 socks5 proxy 10.10.10.11/9050...
 23:30:02 oftc  -- | gnutls: connected using 2048-bit Diffie-Hellman 
 shared secret exchange
 23:30:02 oftc =!= | gnutls: peer's certificate is NOT trusted
 23:30:02 oftc =!= | gnutls: peer's certificate issuer is unknown
 23:30:02 oftc  -- | gnutls: receiving 4 certificates
[...]

It works fine for me with a setup very close to yours:

11:42:06oftc  -- | irc: connecting to server irc.oftc.net/6697 (SSL) via 
socks5 proxy 127.0.0.1/...
11:42:06oftc  -- | gnutls: connected using 2048-bit Diffie-Hellman shared 
secret exchange
11:42:07oftc  -- | gnutls: peer's certificate is trusted
11:42:07oftc  -- | gnutls: receiving 4 certificates
11:42:07oftc  -- |  - certificate[1] info:
11:42:07oftc  -- |- subject `CN=kinetic.oftc.net', issuer `O=Open and 
Free Technology Community,OU=certification authority for 
irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed using 
RSA-SHA1, activated `2012-10-03 19:44:39 UTC', expires `2013-10-03 19:44:39 
UTC', SHA-1 fingerprint
 | `bd06ae699d8602a0af92f81d11d900c77fc062a4'
11:42:07oftc  -- |  - certificate[2] info:
11:42:07oftc  -- |- subject `O=Open and Free Technology 
Community,OU=certification authority for 
irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', issuer `O=Open and Free 
Technology Community,OU=Certification 
Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits, signed 
using RSA-SHA1, activated
 | `2008-05-25 00:10:59 UTC', expires `2013-05-24 00:10:59 
UTC', SHA-1 fingerprint `e45b2de35faec3e999209e34f7ce4c05b6adb73c'
11:42:07oftc  -- |  - certificate[3] info:
11:42:07oftc  -- |- subject `O=Open and Free Technology 
Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', 
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public 
Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', 
RSA key 2048 bits, signed using
 | RSA-SHA1, activated `2008-05-24 23:53:25 UTC', expires 
`2013-05-23 23:53:25 UTC', SHA-1 fingerprint 
`27361360dd639f5ee74b07468345516fc0f052f1'
11:42:07oftc  -- |  - certificate[4] info:
11:42:07oftc  -- |- subject `C=US,ST=Indiana,L=Indianapolis,O=Software 
in the Public Interest,OU=hostmaster,CN=Certificate 
Authority,EMAIL=hostmas...@spi-inc.org', issuer 
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public 
Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org', 
RSA
 | key 4096 bits, signed using RSA-SHA1, activated 
`2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint 
`af70884383820215cd61c6bcecfd3724a990431c'
11:42:07oftc  -- | irc: connected to irc.oftc.net/6697 (?)


What about the result of the following command in weechat?

weechat# /set *ssl_*


Regards,

-- 
Emmanuel Bouthenot
  mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3
  xmpp: kol...@im.openics.org  irc: kolter@{freenode,oftc}


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691895: weechat-curses: ceritificate verification fails

2012-11-01 Thread Michal Suchanek 
Hello,

On 1 November 2012 11:50, Emmanuel Bouthenot kol...@openics.org wrote:


 What about the result of the following command in weechat?

 weechat# /set *ssl_*


I have these settings:

12:20:37  weechat | [network] (relay.conf)
12:20:37  weechat |   relay.network.ssl_cert_key = %h/ssl/relay.pem
12:20:37  weechat |
12:20:37  weechat | [server_default] (irc.conf)
12:20:37  weechat |   irc.server_default.ssl_cert = 
12:20:37  weechat |   irc.server_default.ssl_dhkey_size = 2048
12:20:37  weechat |   irc.server_default.ssl_priorities = NORMAL
12:20:37  weechat |   irc.server_default.ssl_verify = on
12:20:37  weechat |

Thanks

Michal


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691895: weechat-curses: ceritificate verification fails

2012-11-01 Thread Sebastien Helleu 
On Thu, Nov 01, 2012 at 12:22:44PM +0100, Michal Suchanek wrote:
 Hello,
 
 On 1 November 2012 11:50, Emmanuel Bouthenot kol...@openics.org wrote:
 
 
  What about the result of the following command in weechat?
 
  weechat# /set *ssl_*
 
 
 I have these settings:
 
 12:20:37  weechat | [network] (relay.conf)
 12:20:37  weechat |   relay.network.ssl_cert_key = %h/ssl/relay.pem
 12:20:37  weechat |
 12:20:37  weechat | [server_default] (irc.conf)
 12:20:37  weechat |   irc.server_default.ssl_cert = 
 12:20:37  weechat |   irc.server_default.ssl_dhkey_size = 2048
 12:20:37  weechat |   irc.server_default.ssl_priorities = NORMAL
 12:20:37  weechat |   irc.server_default.ssl_verify = on
 12:20:37  weechat |
 
 Thanks
 
 Michal

Hi Michal,

And what is the value of option weechat.network.gnutls_ca_file ?
Is it set to /etc/ssl/certs/ca-certificates.crt (which is default
value) ?

-- 
Cordialement / Best regards
Sébastien.

web: flashtux.org / weechat.org  mail: flashc...@flashtux.org
irc: FlashCode @ irc.freenode.netxmpp: flashc...@jabber.fr


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691895: weechat-curses: ceritificate verification fails

2012-10-30 Thread Michal Suchanek 
Package: weechat-curses
Version: 0.3.9-1
Severity: normal

Hello,

I don't really see where and how weechat verifies the certificate.
A test program succeeds:

142 certificates loaded from /etc/ssl/certs/ca-certificates.crt
Connected to irc.oftc.net:6697
subject `CN=kilo.oftc.net', issuer `O=Open and Free Technology
Community,OU=certification authority for
irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits,
signed using RSA-SHA1, activated `2012-06-06 14:12:07 UTC', expires
`2013-06-06 14:12:07 UTC', SHA-1 fingerprint
`e900dd5d9fcb274b4816ce418f22fb6efc73caab'
subject `O=Open and Free Technology Community,OU=certification authority
for irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', issuer `O=Open and
Free Technology Community,OU=Certification
Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 2048 bits,
signed using RSA-SHA1, activated `2008-05-25 00:10:59 UTC', expires
`2013-05-24 00:10:59 UTC', SHA-1 fingerprint
`e45b2de35faec3e999209e34f7ce4c05b6adb73c'
subject `O=Open and Free Technology Community,OU=Certification
Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', issuer
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate
Authority,EMAIL=hostmas...@spi-inc.org', RSA key 2048 bits, signed using
RSA-SHA1, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23
23:53:25 UTC', SHA-1 fingerprint
`27361360dd639f5ee74b07468345516fc0f052f1'
subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate
Authority,EMAIL=hostmas...@spi-inc.org', issuer
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate
Authority,EMAIL=hostmas...@spi-inc.org', RSA key 4096 bits, signed using
RSA-SHA1, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11
08:07:56 UTC', SHA-1 fingerprint
`af70884383820215cd61c6bcecfd3724a990431c'
Connected.

weechat fails:

23:29:57 oftc  -- | irc: reconnecting to server...
23:29:57 oftc  -- | irc: connecting to server irc.oftc.net/6697 (SSL) via 
socks5 proxy 10.10.10.11/9050...
23:30:02 oftc  -- | gnutls: connected using 2048-bit Diffie-Hellman shared 
secret exchange
23:30:02 oftc =!= | gnutls: peer's certificate is NOT trusted
23:30:02 oftc =!= | gnutls: peer's certificate issuer is unknown
23:30:02 oftc  -- | gnutls: receiving 4 certificates
23:30:02 oftc  -- |  - certificate[1] info:
23:30:02 oftc  -- |- subject `CN=kilo.oftc.net', issuer `O=Open and 
Free Technology Community,OU=certification authority for
  | irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net', RSA key 
2048 bits, signed using RSA-SHA1, activated `2012-06-06 14:12:07 UTC',
  | expires `2013-06-06 14:12:07 UTC', SHA-1 fingerprint 
`e900dd5d9fcb274b4816ce418f22fb6efc73caab'
23:30:02 oftc  -- |  - certificate[2] info:
23:30:02 oftc  -- |- subject `O=Open and Free Technology 
Community,OU=certification authority for 
irc,CN=irc.ca.oftc.net,EMAIL=supp...@oftc.net',
  | issuer `O=Open and Free Technology 
Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', 
RSA key 2048 bits,
  | signed using RSA-SHA1, activated `2008-05-25 00:10:59 
UTC', expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint
  | `e45b2de35faec3e999209e34f7ce4c05b6adb73c'
23:30:02 oftc  -- |  - certificate[3] info:
23:30:02 oftc  -- |- subject `O=Open and Free Technology 
Community,OU=Certification Authority,CN=ca.oftc.net,EMAIL=supp...@oftc.net', 
issuer
  | `C=US,ST=Indiana,L=Indianapolis,O=Software in the 
Public Interest,OU=hostmaster,CN=Certificate
  | Authority,EMAIL=hostmas...@spi-inc.org', RSA key 2048 
bits, signed using RSA-SHA1, activated `2008-05-24 23:53:25 UTC', expires
  | `2013-05-23 23:53:25 UTC', SHA-1 fingerprint 
`27361360dd639f5ee74b07468345516fc0f052f1'
23:30:02 oftc  -- |  - certificate[4] info:
23:30:02 oftc  -- |- subject `C=US,ST=Indiana,L=Indianapolis,O=Software 
in the Public Interest,OU=hostmaster,CN=Certificate
  | Authority,EMAIL=hostmas...@spi-inc.org', issuer 
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
  | Interest,OU=hostmaster,CN=Certificate 
Authority,EMAIL=hostmas...@spi-inc.org', RSA key 4096 bits, signed using 
RSA-SHA1, activated
  | `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56 
UTC', SHA-1 fingerprint `af70884383820215cd61c6bcecfd3724a990431c'
23:30:03 oftc  -- | irc: connected to irc.oftc.net/6697 (?)


-- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing'), (400, 'unstable'), (200, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash