Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-19-2010, 02:57 PM
|
#1
|
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594
|
How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client?
I'm trying to use Xchat, to communicate with a server which uses CAcert root certificate(s) for its SSL connection.
I have Xchat all configured, and it works fine when I connect WITHOUT SSL, but I'm getting pretty miffed about how to get it to find/use whatever local certificates I'm supposed to have, assuming I actually *have* these certs installed somewhere. This seems like it should be less difficult than I'm making it out to be.
I've been to CAcert's website and their Wiki, and while they have the root certificates available for download (which I did, as well as inadvertently installing them into my browser, where they probably already were anyway) the only instructions I saw in their "Linux" docs department, on how/where to use/put them, were for a couple RH based distros, and some other distro I'm not using.
I checked the Xchat website and had a somewhat semi-thorough look around their user forum, but didn't find what I need there either.
The openssl man page (yes, it's installed) doesn't tell me what I want, and xchat doesn't even *have* a man page.
An LQ search turns up a few off-topic threads, mainly several years old and with very little in the way of replies.
Argh! This ought to be easy :/ and I bet it is easy, with the right documentation in front of me.
This is Slackware 13-64/-current. I've got /etc/ssl/certs folder, with nothing in it; and I have an /etc/ssl/openssl.cnf file which *appears* to be intended for using SSL on my own server (don't want that).
In case it helps, here's what the server tells me when I have enabled SSL and try to connect:
Code:
[15:47] * * Certification info:
[15:47] * Subject:
[15:47] * CN=irc.twice-irc.de
[15:47] * Issuer:
[15:47] * O=CAcert Inc.
[15:47] * OU=http:
[15:47] *
[15:47] * www.CAcert.org
[15:47] * CN=CAcert Class 3 Root
[15:47] * Public key algorithm: rsaEncryption (4096 bits)
[15:47] * Sign algorithm sha1WithRSAEncryption
[15:47] * Valid since Jun 13 14:38:18 2008 GMT to Jun 13 14:38:18 2010 GMT
[15:47] * * Cipher info:
[15:47] * Version: TLSv1/SSLv3, cipher AES256-SHA (256 bits)
[15:47] * Connection failed. Error: unable to get local issuer certificate.? (20)
Can someone point me to a decent link/tutorial about how to connect by IRC, (using Xchat if that matters), and have it find my SSL certs and/or where/how I get the CA root certificates in the right location for this to work??
Thank you
Sasha
|
|
|
03-19-2010, 03:06 PM
|
#2
|
Senior Member
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279
|
This one for MIXXnet seems to indicate you need the cert from the specific server/service you are connecting to.
http://www.mixxnet.net/wiki/index.ph...CA_Certificate
But it does show the correct way to link it, so you could get the cert you already downloaded and use that.
Last edited by smoker; 03-19-2010 at 03:09 PM.
|
|
|
03-19-2010, 04:01 PM
|
#3
|
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594
Original Poster
|
Well, I spoke to the admin of the IRC server in question, and he told me that I should have been able to download the class-1 and class-3 keys from CAcert here: http://www.cacert.org/index.php?id=3 and put them into /etc/ssl/certs and close my Xchat client, then run this command:
The above command gave me feedback indicating it was doing what it was expected to do.
Then, I restart the Xchat, and all would work as planned. But it did not, for some reason.
I have since checked the box labeled "ignore invalid certs" so I can at least connect using SSL, but without verifying the provided certs.
So, still interested in why it isn't working as expected, but is not a big panic -- just annoying not knowing why something so seemingly simple, is not working.
Thanks for that feedback smoker; I poked around to see if there were specific certs downloadable from that IRC server network I'm using, but apparently not.
Sasha
|
|
|
03-19-2010, 04:22 PM
|
#4
|
Senior Member
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279
|
The main point from the link I gave was this :
Quote:
Once the CA cert is moved to that directory, make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:
ln -s mixxnet.crt 6730e552.0
Tip: The filename above was derived from the command: $ openssl x509 -in mixxnet.crt -noout -hash
|
So whatever you called those certs you downloaded (you did download as text ?) use in that command and then make the symlink.
Last edited by smoker; 03-19-2010 at 04:23 PM.
|
|
|
03-19-2010, 04:49 PM
|
#5
|
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594
Original Poster
|
Smoker, thanks again, for the further input!
I did indeed download the text .crt versions of the files, and went and did the above command and symlinked them accordingly. But still no go; same error(s) upon trying to connect.
Seems logical that this would work, *if* I were downloading/using a cert file specific to this server, rather than the root certs from CAcert itself. But as mentioned, there's apparently no such cert to be had.
Sasha
EDIT: interestingly, when/if I execute the `c_rehash` command given me by the server admin, it deletes the symlinks.. I'll try again (again!) next time I disconnect.
Last edited by GrapefruiTgirl; 03-19-2010 at 04:51 PM.
|
|
|
03-19-2010, 04:59 PM
|
#6
|
Senior Member
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279
|
It shouldn't matter where the certs came from, but
Quote:
make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:
|
makes it seem as if openssl won't detect the cert at all otherwise.
|
|
|
03-19-2010, 06:00 PM
|
#7
|
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594
Original Poster
|
I agree, kinda strange. I used the .0 suffix, and the command as given, but still no go. And yes, seems rather dumb to think that openssl would *like* the added suffix -- I would like to believe it is clever enough to identify a cert in its own preordained directory, without some suffix added.
Maybe I'll try doing the symlinking, but OMIT the .0 suffix, and see what it thinks of that.
I am going to have a look through my ~/.mozilla folder (for the heck of it -- humor me ) and see if I can figure out where & how the certs are stored for use by FF. Worst case scenario: I'll learn nothing :/
Sasha
|
|
|
12-31-2010, 04:11 PM
|
#8
|
LQ Newbie
Registered: Dec 2010
Location: Canada
Posts: 2
Rep:
|
Maybe not the most proper, but works for me. Path is for FC12, but just change it for wherever your distro's ca-bundle.crt is.
openssl x509 -in <yourCA>.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
|
|
|
04-03-2011, 06:47 AM
|
#9
|
Member
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 534
Rep:
|
Not alone in this issue - Any solutions yet????
Quote:
Originally Posted by GrapefruiTgirl
Well, I spoke to the admin of the IRC server in question, and he told me that I should have been able to download the class-1 and class-3 keys from CAcert here: http://www.cacert.org/index.php?id=3 and put them into /etc/ssl/certs and close my Xchat client, then run this command:
The above command gave me feedback indicating it was doing what it was expected to do.
Then, I restart the Xchat, and all would work as planned. But it did not, for some reason.
I have since checked the box labeled "ignore invalid certs" so I can at least connect using SSL, but without verifying the provided certs.
|
I've checked that box too...
Quote:
Originally Posted by GrapefruiTgirl
So, still interested in why it isn't working as expected, but is not a big panic -- just annoying not knowing why something so seemingly simple, is not working.
|
What is the status of this issue? I'm in the same conundrum, although I have some additional information...
I can connect to the IRC Network[s] in question from KvIRC or Irssi w/SSL no problem, while I can't with Xchat (any longer - I used to be able to).
Some IRC networks I can connect to via SSL in Xchat, but not all - Freenode is one of the networks I can't connect to via SSL with Xchat.
Any luck with this? Does anyone have any additional input?
Thanks,
.
|
|
|
04-05-2011, 09:54 AM
|
#10
|
Member
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 534
Rep:
|
Possible solution here for the next poor soul...
Well Sasha,
I *think* I have an explanation.
From the thread HERE, I gleaned what I needed to do and then...
Looks like we have a solution
I'll leave the actual reasons why XChat exhibits this particular behavior to whomever takes the time to read that thread, although it didn't seem to be a problem for KvIRC, WeeChat, or Irssi - all of which connected to Freenode and elsewhere "+X" without issue (for me anyway).
Here's the long of it: http://www.andrews-corner.org/irssi.html
And once I read that, I simply did:
Code:
# wget http://slackware.osuosl.org/slackware64-current/slackware64/n/ca-certificates-20090814-noarch-1.txz
# installpkg ca-certificates-20090814-noarch-1.txz
And I was done
Thanks to Robby too for pointing out to me that the package now lives in -current (Slackware64 13.37 RC3.1415926... LOL!)
I hope this helps the next somebody that comes along with this problem.
Kindest regards,
.
|
|
|
All times are GMT -5. The time now is 07:18 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|