Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

weird certificate issue on libera.chat #72

Open
c-cube opened this issue May 28, 2021 · 2 comments
Open

weird certificate issue on libera.chat #72

c-cube opened this issue May 28, 2021 · 2 comments

Comments

@c-cube
Copy link

c-cube commented May 28, 2021
edited
Loading

Hi, I've had issues connecting some IRC bots recently from ocaml-irc-client. Trying the stelnet example on it is interesting:

$ dune exec examples/stelnet.exe -- irc.libera.chat -p 6697
SSL connection ok.   
Certificate issuer:  /C=US/O=Let's Encrypt/CN=R3
subject: /CN=strontium.libera.chat
Cipher: TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

Type 'exit' to quit.

:strontium.libera.chat NOTICE * :*** Checking Ident
:strontium.libera.chat NOTICE * :*** Looking up your hostname...

but with paranoid:

$ dune exec examples/stelnet.exe -- irc.libera.chat -p 6697 -w
Certificate[2] subject=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate[2] issuer =/O=Digital Signature Trust Co./CN=DST Root CA X3
SSL: rejecting connection - error=20
Fatal error: exception SSL connection() error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
@craff
Copy link
Contributor

craff commented May 17, 2023

I confirm I can reproduce.

May be this is related to Let's encrypt certificate not considered secure enough ?

@Firgeis
Copy link
Contributor

Firgeis commented Jul 30, 2023
edited
Loading

This is the same output from ssl (openssl s_client -connect irc.libera.chat:6697):

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mercury.libera.chat
verify return:1
---
Certificate chain
 0 s:CN = mercury.libera.chat
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 24 06:40:56 2023 GMT; NotAfter: Oct 22 06:40:55 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT

I believe this is because of the cross-signed certificate it is using which is not entirely supported by OpenSSL, see:
https://security.stackexchange.com/questions/133221/how-to-properly-create-and-use-cross-signed-cas-and-certificates

One solution off the top of my head would be to eliminate one of the root certs from your trust store so it can build the certificate chain properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c-cube @craff @Firgeis