[Weechat-dev] [bug #30316] sending client cert does not work

Ray Kohler Thu, 01 Jul 2010 11:20:23 -0700

URL:
  <http://savannah.nongnu.org/bugs/?30316>


                 Summary: sending client cert does not work
                 Project: WeeChat
            Submitted by: ataraxia
            Submitted on: Thu 01 Jul 2010 06:19:17 PM GMT
                Category: irc plugin
                Severity: 3 - Normal
              Item Group: irc protocol
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 0.3.2
                IRC nick: ataraxia

    _______________________________________________________

Details:

(In addition to this writeup, see
http://bbs.archlinux.org/viewtopic.php?pid=784740 for a couple of other users
who reproduced this.)

I'm following the weechat instructions here:
http://www.weechat.org/files/doc/stable … rtificates and also looking at
OFTC's doc here: http://www.oftc.net/oftc/NickServ/CertFP

Verification via CA works fine (observe the 3rd line down):
Code:

20:12:26     oftc     | irc: connecting to server irc.oftc.net/6697 (SSL)...
20:12:26     oftc     | gnutls: connected using 2048-bit Diffie-Hellman
shared secret exchange
20:12:26     oftc     | gnutls: peer's certificate is trusted
20:12:26     oftc     | gnutls: receiving 4 certificates
20:12:26     oftc     |  - certificate[1] info:
20:12:26     oftc     |    - subject `CN=oxygen.oftc.net', issuer `O=Open and
Free Technology Community,OU=certification authority for
irc,CN=irc.ca.oftc.net,[email protected]', RSA key 2048 bits, signed
using RSA-SHA, activated
                      | `2009-08-07 14:31:48 UTC', expires `2010-08-07
14:31:48 UTC', SHA-1 fingerprint `852cb9bbab6ae5c5c3d4a745e255b175006e7314'
20:12:26     oftc     |  - certificate[2] info:
20:12:26     oftc     |    - subject `O=Open and Free Technology
Community,OU=certification authority for
irc,CN=irc.ca.oftc.net,[email protected]', issuer `O=Open and Free
Technology Community,OU=Certification
                      | Authority,CN=ca.oftc.net,[email protected]', RSA
key 2048 bits, signed using RSA-SHA, activated `2008-05-25 00:10:59 UTC',
expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint
                      | `e45b2de35faec3e999209e34f7ce4c05b6adb73c'
20:12:26     oftc     |  - certificate[3] info:
20:12:26     oftc     |    - subject `O=Open and Free Technology
Community,OU=Certification Authority,CN=ca.oftc.net,[email protected]',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate
Authority,[email protected]', RSA key 2048 bits, signed using
RSA-SHA, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23 23:53:25
UTC', SHA-1 fingerprint
                      | `27361360dd639f5ee74b07468345516fc0f052f1'
20:12:26     oftc     |  - certificate[4] info:
20:12:26     oftc     |    - subject
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,[email protected]',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate
Authority,[email protected]', RSA key 4096 bits, signed using
RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56
UTC', SHA-1 fingerprint
                      | `af70884383820215cd61c6bcecfd3724a990431c'

But then, when weechat tries to use my cert and key to do mutual auth, it
fails. Notice that it claims to find a cert with the same subject as OFTC's CA
in my client.pem file, which is nonsense:
Code:

20:12:26     oftc     | gnutls: sending one certificate
20:12:26     oftc     |  - client certificate info
(/home/ataraxia/.weechat/ssl/client.pem):
20:12:26     oftc     |   - subject
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,[email protected]',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate
Authority,[email protected]', RSA key 4096 bits, signed using
RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56
UTC', SHA-1 fingerprint
                      | `af70884383820215cd61c6bcecfd3724a990431c'
20:12:26     oftc =!= | irc: TLS handshake failed
20:12:26     oftc =!= | irc: error: Insufficient credentials for that
request.

I've double- and triple-checked that the contents of client.pem (MY cert and
key, and nothing to do with OFTC or SPI) are correct.

What is going on here? Is weechat really using the wrong creds to
authenticate me? (If that's so, at least it explains the "Insufficient
credentials" error, as of course I don't have the key for SPI's CA.)




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?30316>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
Weechat-dev mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/weechat-dev

[Weechat-dev] [bug #30316] sending client cert does not work

Reply via email to