xchat.org

[tallship]

Hi,

For some reason, I'm no longer able to connect to [some] IRC networks via SSL - Freenode being one of them. I'm able to connect via SSL in KvIRC and Irssi to the networks I can't in XChat, yet I can still connect with XChat to some networks via SSL.

Here's and example of what I'm getting when attempting to connect to Freenode via SSL:

Code: Select all

* Looking up chat.freenode.net
* Connecting to chat.freenode.net (78.40.125.4) port 7000...
* * Certification info:
*   Subject:
*     OU=Domain Control Validated
*     OU=Gandi Standard Wildcard SSL
*     CN=*.freenode.net
*   Issuer:
*     C=FR
*     O=GANDI SAS
*     CN=Gandi Standard SSL CA
*   Public key algorithm: rsaEncryption (2048 bits)
*   Sign algorithm sha1WithRSAEncryption
*   Valid since Jan 14 00:00:00 2011 GMT to Jan 14 23:59:59 2012 GMT
* * Cipher info:
*   Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits)
* Connection failed. Error: unable to get local issuer certificate.? (20)


I've seen a couple of people post that they could connect to servers once they checked the "Accept invalid SSL certificate", but this isn't working for me.

Thanks in advance for any assistance you can afford on this matter.

[tallship]

I tried several combinations of port numbers for freenode, such as the 9999 that irssi will use when you

Code: Select all

/connect -ssl chat.freenode.net


And don't provide any port numbers (yet it connects as +Z just fine anyway).

I tried 7070, and even 6667 w/o ssl, and it was bombing.

Eventually, I tried 6697, downloaded the root certs from CACert.org, ran the following:

Code: Select all

# c_rehash


restarted XChat, and voila! Everyone is playing nice in the sandbox again.

Okay, so does anyone have any idea what happened? How I can avoid this issue in the future, etc.?

Kindest regards,

Bradley
http://NorthTech.US

.

[peterz]

When you use "Accept invalid SSL certificate" it applies to only that one network and then you must use the Network List to connect (not the /server command). Does that help any?

[tallship]

Thanks Peter

It has helped some. This is why I've had intermittent problems with one network or another and everything doesn't usually all work together.

Thanks for pointing that out.

[Khisanth]

* Connection failed. Error: unable to get local issuer certificate.? (20)

Was due to the missing root certificate and the "Accept invalid SSL certificate" doesn't apply to that situation.

It DOES however affect it. The effect of having that option set is that you will be able to connect the first time but every reconnect will fail.

[tallship]

* Connection failed. Error: unable to get local issuer certificate.? (20)

Was due to the missing root certificate and the "Accept invalid SSL certificate" doesn't apply to that situation.

It DOES however affect it. The effect of having that option set is that you will be able to connect the first time but every reconnect will fail.

Oh man!

That completely explains EXACTLY what's happening. If I restart XChat, I can reconnect no problem.

Okay then, a couple of questions.

I should put the certs in /etc/ssl/certs/ right?

And if so, then I go to say, http://www.cacert.org/index.php?id=3 and http://www.geotrust.com/resources/root-certificates/ and install [some/all] of the certs there?

and then,

Code: Select all

# c_rehash

um...

My particular issue is with Freenode. So really, all I'm really interested in for the short term is to install a "root certificate" that will facilitate my [re]connections to freenode.net.

Any particular steps for to accomplish that particular goal?

Hey, and thank you so much for pointing this out for me. It doesn't actually solve my problem (yet), but it definately provides me with the understanding as to why this is happening.

And just for clarification, I should mention that my platform is Slackware64 and I'm using Xfce as a window manager That's prolly important since there's a Windows port of XChat too

[tallship]

Okay!

Looks like we have a solution

Here's the long of it: http://www.andrews-corner.org/irssi.html

And once I read that I simply did:

Code: Select all

# wget http://slackware.osuosl.org/slackware64-current/slackware64/n/ca-certificates-20090814-noarch-1.txz
# installpkg ca-certificates-20090814-noarch-1.txz


And I was done

I hope this helps the next someone that comes along

Kindest regards,


Bradley D. Thornton
http://NorthTech.EU

.