weechat-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Weechat-dev] [bug #30316] sending client cert does not work

From: Ray Kohler
Subject: [Weechat-dev] [bug #30316] sending client cert does not work
Date: Thu, 01 Jul 2010 18:19:18 +0000
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.6) Gecko/20100627 Firefox/3.6.6 
URL:
  <http://savannah.nongnu.org/bugs/?30316>

                 Summary: sending client cert does not work
                 Project: WeeChat
            Submitted by: ataraxia
            Submitted on: Thu 01 Jul 2010 06:19:17 PM GMT
                Category: irc plugin
                Severity: 3 - Normal
              Item Group: irc protocol
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 0.3.2
                IRC nick: ataraxia

    _______________________________________________________

Details:

(In addition to this writeup, see
http://bbs.archlinux.org/viewtopic.php?pid=784740 for a couple of other users
who reproduced this.)

I'm following the weechat instructions here:
http://www.weechat.org/files/doc/stable … rtificates and also looking at
OFTC's doc here: http://www.oftc.net/oftc/NickServ/CertFP

Verification via CA works fine (observe the 3rd line down):
Code:

20:12:26     oftc     | irc: connecting to server irc.oftc.net/6697 (SSL)...
20:12:26     oftc     | gnutls: connected using 2048-bit Diffie-Hellman
shared secret exchange
20:12:26     oftc     | gnutls: peer's certificate is trusted
20:12:26     oftc     | gnutls: receiving 4 certificates
20:12:26     oftc     |  - certificate[1] info:
20:12:26     oftc     |    - subject `CN=oxygen.oftc.net', issuer `O=Open and
Free Technology Community,OU=certification authority for
irc,CN=irc.ca.oftc.net,address@hidden', RSA key 2048 bits, signed
using RSA-SHA, activated
                      | `2009-08-07 14:31:48 UTC', expires `2010-08-07
14:31:48 UTC', SHA-1 fingerprint `852cb9bbab6ae5c5c3d4a745e255b175006e7314'
20:12:26     oftc     |  - certificate[2] info:
20:12:26     oftc     |    - subject `O=Open and Free Technology
Community,OU=certification authority for
irc,CN=irc.ca.oftc.net,address@hidden', issuer `O=Open and Free
Technology Community,OU=Certification
                      | Authority,CN=ca.oftc.net,address@hidden', RSA
key 2048 bits, signed using RSA-SHA, activated `2008-05-25 00:10:59 UTC',
expires `2013-05-24 00:10:59 UTC', SHA-1 fingerprint
                      | `e45b2de35faec3e999209e34f7ce4c05b6adb73c'
20:12:26     oftc     |  - certificate[3] info:
20:12:26     oftc     |    - subject `O=Open and Free Technology
Community,OU=Certification Authority,CN=ca.oftc.net,address@hidden',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate
Authority,address@hidden', RSA key 2048 bits, signed using
RSA-SHA, activated `2008-05-24 23:53:25 UTC', expires `2013-05-23 23:53:25
UTC', SHA-1 fingerprint
                      | `27361360dd639f5ee74b07468345516fc0f052f1'
20:12:26     oftc     |  - certificate[4] info:
20:12:26     oftc     |    - subject
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,address@hidden',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate
Authority,address@hidden', RSA key 4096 bits, signed using
RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56
UTC', SHA-1 fingerprint
                      | `af70884383820215cd61c6bcecfd3724a990431c'

But then, when weechat tries to use my cert and key to do mutual auth, it
fails. Notice that it claims to find a cert with the same subject as OFTC's CA
in my client.pem file, which is nonsense:
Code:

20:12:26     oftc     | gnutls: sending one certificate
20:12:26     oftc     |  - client certificate info
(/home/ataraxia/.weechat/ssl/client.pem):
20:12:26     oftc     |   - subject
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,address@hidden',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
                      | Interest,OU=hostmaster,CN=Certificate
Authority,address@hidden', RSA key 4096 bits, signed using
RSA-SHA, activated `2008-05-13 08:07:56 UTC', expires `2018-05-11 08:07:56
UTC', SHA-1 fingerprint
                      | `af70884383820215cd61c6bcecfd3724a990431c'
20:12:26     oftc =!= | irc: TLS handshake failed
20:12:26     oftc =!= | irc: error: Insufficient credentials for that
request.

I've double- and triple-checked that the contents of client.pem (MY cert and
key, and nothing to do with OFTC or SPI) are correct.

What is going on here? Is weechat really using the wrong creds to
authenticate me? (If that's so, at least it explains the "Insufficient
credentials" error, as of course I don't have the key for SPI's CA.)




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?30316>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]