LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client? (http://www.linuxquestions.org/questions/linux-software-2/how-to-import-use-cacert-ssl-root-certificate-to-use-ssl-with-xchat-irc-client-796559/)

GrapefruiTgirl 03-19-2010 02:57 PM

How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client?
 
I'm trying to use Xchat, to communicate with a server which uses CAcert root certificate(s) for its SSL connection.

I have Xchat all configured, and it works fine when I connect WITHOUT SSL, but I'm getting pretty miffed about how to get it to find/use whatever local certificates I'm supposed to have, assuming I actually *have* these certs installed somewhere. This seems like it should be less difficult than I'm making it out to be.

I've been to CAcert's website and their Wiki, and while they have the root certificates available for download (which I did, as well as inadvertently installing them into my browser, where they probably already were anyway) the only instructions I saw in their "Linux" docs department, on how/where to use/put them, were for a couple RH based distros, and some other distro I'm not using.

I checked the Xchat website and had a somewhat semi-thorough look around their user forum, but didn't find what I need there either.

The openssl man page (yes, it's installed) doesn't tell me what I want, and xchat doesn't even *have* a man page.

An LQ search turns up a few off-topic threads, mainly several years old and with very little in the way of replies.

Argh! This ought to be easy :/ and I bet it is easy, with the right documentation in front of me.

This is Slackware 13-64/-current. I've got /etc/ssl/certs folder, with nothing in it; and I have an /etc/ssl/openssl.cnf file which *appears* to be intended for using SSL on my own server (don't want that).

In case it helps, here's what the server tells me when I have enabled SSL and try to connect:

Code:

[15:47] * * Certification info:
[15:47] *  Subject:
[15:47] *    CN=irc.twice-irc.de
[15:47] *  Issuer:
[15:47] *    O=CAcert Inc.
[15:47] *    OU=http:
[15:47] *   
[15:47] *    www.CAcert.org
[15:47] *    CN=CAcert Class 3 Root
[15:47] *  Public key algorithm: rsaEncryption (4096 bits)
[15:47] *  Sign algorithm sha1WithRSAEncryption
[15:47] *  Valid since Jun 13 14:38:18 2008 GMT to Jun 13 14:38:18 2010 GMT
[15:47] * * Cipher info:
[15:47] *  Version: TLSv1/SSLv3, cipher AES256-SHA (256 bits)
[15:47] * Connection failed. Error: unable to get local issuer certificate.? (20)

Can someone point me to a decent link/tutorial about how to connect by IRC, (using Xchat if that matters), and have it find my SSL certs and/or where/how I get the CA root certificates in the right location for this to work??

Thank you :)

Sasha

smoker 03-19-2010 03:06 PM

This one for MIXXnet seems to indicate you need the cert from the specific server/service you are connecting to.
http://www.mixxnet.net/wiki/index.ph...CA_Certificate

But it does show the correct way to link it, so you could get the cert you already downloaded and use that.

GrapefruiTgirl 03-19-2010 04:01 PM

Well, I spoke to the admin of the IRC server in question, and he told me that I should have been able to download the class-1 and class-3 keys from CAcert here: http://www.cacert.org/index.php?id=3 and put them into /etc/ssl/certs and close my Xchat client, then run this command:

Code:

shell# c_rehash
The above command gave me feedback indicating it was doing what it was expected to do.
Then, I restart the Xchat, and all would work as planned. But it did not, for some reason.

I have since checked the box labeled "ignore invalid certs" so I can at least connect using SSL, but without verifying the provided certs.

So, still interested in why it isn't working as expected, but is not a big panic -- just annoying :p not knowing why something so seemingly simple, is not working.

Thanks for that feedback smoker; I poked around to see if there were specific certs downloadable from that IRC server network I'm using, but apparently not.

Sasha

smoker 03-19-2010 04:22 PM

The main point from the link I gave was this :
Quote:

Once the CA cert is moved to that directory, make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:

ln -s mixxnet.crt 6730e552.0

Tip: The filename above was derived from the command: $ openssl x509 -in mixxnet.crt -noout -hash
So whatever you called those certs you downloaded (you did download as text ?) use in that command and then make the symlink.

GrapefruiTgirl 03-19-2010 04:49 PM

Smoker, thanks again, for the further input!

I did indeed download the text .crt versions of the files, and went and did the above command and symlinked them accordingly. But still no go; same error(s) upon trying to connect.

Seems logical that this would work, *if* I were downloading/using a cert file specific to this server, rather than the root certs from CAcert itself. But as mentioned, there's apparently no such cert to be had.

Sasha

EDIT: interestingly, when/if I execute the `c_rehash` command given me by the server admin, it deletes the symlinks.. :scratch: I'll try again (again!) next time I disconnect.

smoker 03-19-2010 04:59 PM

It shouldn't matter where the certs came from, but
Quote:

make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:
makes it seem as if openssl won't detect the cert at all otherwise.

GrapefruiTgirl 03-19-2010 06:00 PM

I agree, kinda strange. I used the .0 suffix, and the command as given, but still no go. And yes, seems rather dumb to think that openssl would *like* the added suffix -- I would like to believe it is clever enough to identify a cert in its own preordained directory, without some suffix added.

Maybe I'll try doing the symlinking, but OMIT the .0 suffix, and see what it thinks of that.

I am going to have a look through my ~/.mozilla folder (for the heck of it -- humor me ;) ) and see if I can figure out where & how the certs are stored for use by FF. Worst case scenario: I'll learn nothing :/

Sasha

phizman 12-31-2010 04:11 PM

Maybe not the most proper, but works for me. Path is for FC12, but just change it for wherever your distro's ca-bundle.crt is.

openssl x509 -in <yourCA>.crt -text >> /etc/pki/tls/certs/ca-bundle.crt

tallship 04-03-2011 06:47 AM

Not alone in this issue - Any solutions yet????
 
Quote:

Originally Posted by GrapefruiTgirl (Post 3904940)
Well, I spoke to the admin of the IRC server in question, and he told me that I should have been able to download the class-1 and class-3 keys from CAcert here: http://www.cacert.org/index.php?id=3 and put them into /etc/ssl/certs and close my Xchat client, then run this command:

Code:

shell# c_rehash
The above command gave me feedback indicating it was doing what it was expected to do.
Then, I restart the Xchat, and all would work as planned. But it did not, for some reason.

I have since checked the box labeled "ignore invalid certs" so I can at least connect using SSL, but without verifying the provided certs.

I've checked that box too...


Quote:

Originally Posted by GrapefruiTgirl (Post 3904940)
So, still interested in why it isn't working as expected, but is not a big panic -- just annoying :p not knowing why something so seemingly simple, is not working.

What is the status of this issue? I'm in the same conundrum, although I have some additional information...

I can connect to the IRC Network[s] in question from KvIRC or Irssi w/SSL no problem, while I can't with Xchat (any longer - I used to be able to).

Some IRC networks I can connect to via SSL in Xchat, but not all - Freenode is one of the networks I can't connect to via SSL with Xchat.

Any luck with this? Does anyone have any additional input?

Thanks,

.

tallship 04-05-2011 09:54 AM

Possible solution here for the next poor soul...
 
Well Sasha,

I *think* I have an explanation.

From the thread HERE, I gleaned what I needed to do and then...

Looks like we have a solution :)

I'll leave the actual reasons why XChat exhibits this particular behavior to whomever takes the time to read that thread, although it didn't seem to be a problem for KvIRC, WeeChat, or Irssi - all of which connected to Freenode and elsewhere "+X" without issue (for me anyway).

Here's the long of it: http://www.andrews-corner.org/irssi.html

And once I read that, I simply did:

Code:

# wget http://slackware.osuosl.org/slackware64-current/slackware64/n/ca-certificates-20090814-noarch-1.txz
# installpkg ca-certificates-20090814-noarch-1.txz

And I was done :)

Thanks to Robby too for pointing out to me that the package now lives in -current (Slackware64 13.37 RC3.1415926... LOL!)

I hope this helps the next somebody that comes along with this problem.

Kindest regards,

.


All times are GMT -5. The time now is 06:52 AM.