Unable to connect to IRC via SSL

Discussion about XChat on Linux and other unix like systems.

Unable to connect to IRC via SSL

Postby tallship » 03 Apr 2011 12:01

Hi,

For some reason, I'm no longer able to connect to [some] IRC networks via SSL - Freenode being one of them. I'm able to connect via SSL in KvIRC and Irssi to the networks I can't in XChat, yet I can still connect with XChat to some networks via SSL.

Here's and example of what I'm getting when attempting to connect to Freenode via SSL:

Code: Select all
* Looking up chat.freenode.net
* Connecting to chat.freenode.net (78.40.125.4) port 7000...
* * Certification info:
*   Subject:
*     OU=Domain Control Validated
*     OU=Gandi Standard Wildcard SSL
*     CN=*.freenode.net
*   Issuer:
*     C=FR
*     O=GANDI SAS
*     CN=Gandi Standard SSL CA
*   Public key algorithm: rsaEncryption (2048 bits)
*   Sign algorithm sha1WithRSAEncryption
*   Valid since Jan 14 00:00:00 2011 GMT to Jan 14 23:59:59 2012 GMT
* * Cipher info:
*   Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits)
* Connection failed. Error: unable to get local issuer certificate.? (20)


I've seen a couple of people post that they could connect to servers once they checked the "Accept invalid SSL certificate", but this isn't working for me.

Thanks in advance for any assistance you can afford on this matter.
Registered Linux User #190795

- "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.
tallship
 
Posts: 5
Joined: 03 Apr 2011 11:54
Location: On the Beaches of Super Sunny Southern California USA

Re: Unable to connect to IRC via SSL

Postby tallship » 03 Apr 2011 23:33

I tried several combinations of port numbers for freenode, such as the 9999 that irssi will use when you

Code: Select all
/connect -ssl chat.freenode.net


And don't provide any port numbers (yet it connects as +Z just fine anyway).

I tried 7070, and even 6667 w/o ssl, and it was bombing.

Eventually, I tried 6697, downloaded the root certs from CACert.org, ran the following:

Code: Select all
# c_rehash


restarted XChat, and voila! Everyone is playing nice in the sandbox again.

Okay, so does anyone have any idea what happened? How I can avoid this issue in the future, etc.?

Kindest regards,

Bradley
http://NorthTech.US

.
Registered Linux User #190795

- "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.
tallship
 
Posts: 5
Joined: 03 Apr 2011 11:54
Location: On the Beaches of Super Sunny Southern California USA

Re: Unable to connect to IRC via SSL

Postby peterz » 04 Apr 2011 08:40

When you use "Accept invalid SSL certificate" it applies to only that one network and then you must use the Network List to connect (not the /server command). Does that help any?
User avatar
peterz
 
Posts: 1035
Joined: 09 Jun 2004 13:51
Location: Australia

Re: Unable to connect to IRC via SSL

Postby tallship » 04 Apr 2011 11:30

Thanks Peter :)

It has helped some. This is why I've had intermittent problems with one network or another and everything doesn't usually all work together.

Thanks for pointing that out.
Registered Linux User #190795

- "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.
tallship
 
Posts: 5
Joined: 03 Apr 2011 11:54
Location: On the Beaches of Super Sunny Southern California USA

Re: Unable to connect to IRC via SSL

Postby Khisanth » 04 Apr 2011 20:00

* Connection failed. Error: unable to get local issuer certificate.? (20)

Was due to the missing root certificate and the "Accept invalid SSL certificate" doesn't apply to that situation.

It DOES however affect it. The effect of having that option set is that you will be able to connect the first time but every reconnect will fail.
Khisanth
 
Posts: 1724
Joined: 10 Jun 2004 05:23

Re: Unable to connect to IRC via SSL

Postby tallship » 04 Apr 2011 21:38

Khisanth wrote:
* Connection failed. Error: unable to get local issuer certificate.? (20)

Was due to the missing root certificate and the "Accept invalid SSL certificate" doesn't apply to that situation.

It DOES however affect it. The effect of having that option set is that you will be able to connect the first time but every reconnect will fail.


Oh man!

That completely explains EXACTLY what's happening. If I restart XChat, I can reconnect no problem.

Okay then, a couple of questions.

I should put the certs in /etc/ssl/certs/ right?

And if so, then I go to say, http://www.cacert.org/index.php?id=3 and http://www.geotrust.com/resources/root-certificates/ and install [some/all] of the certs there?

and then,

Code: Select all
# c_rehash


um...

My particular issue is with Freenode. So really, all I'm really interested in for the short term is to install a "root certificate" that will facilitate my [re]connections to freenode.net.

Any particular steps for to accomplish that particular goal?

Hey, and thank you so much for pointing this out for me. It doesn't actually solve my problem (yet), but it definately provides me with the understanding as to why this is happening.

And just for clarification, I should mention that my platform is Slackware64 and I'm using Xfce as a window manager ;) That's prolly important since there's a Windows port of XChat too :)
Registered Linux User #190795

- "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.
tallship
 
Posts: 5
Joined: 03 Apr 2011 11:54
Location: On the Beaches of Super Sunny Southern California USA

Re: Unable to connect to IRC via SSL

Postby tallship » 05 Apr 2011 14:34

Okay!

Looks like we have a solution :)

Here's the long of it: http://www.andrews-corner.org/irssi.html

And once I read that I simply did:

Code: Select all
# wget http://slackware.osuosl.org/slackware64-current/slackware64/n/ca-certificates-20090814-noarch-1.txz
# installpkg ca-certificates-20090814-noarch-1.txz


And I was done :)

I hope this helps the next someone that comes along

Kindest regards,


Bradley D. Thornton
http://NorthTech.EU

.
Registered Linux User #190795

- "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.
tallship
 
Posts: 5
Joined: 03 Apr 2011 11:54
Location: On the Beaches of Super Sunny Southern California USA


Return to XChat

Who is online

Users browsing this forum: No registered users and 1 guest