LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-19-2010, 02:57 PM   #1
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Angry How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client?


I'm trying to use Xchat, to communicate with a server which uses CAcert root certificate(s) for its SSL connection.

I have Xchat all configured, and it works fine when I connect WITHOUT SSL, but I'm getting pretty miffed about how to get it to find/use whatever local certificates I'm supposed to have, assuming I actually *have* these certs installed somewhere. This seems like it should be less difficult than I'm making it out to be.

I've been to CAcert's website and their Wiki, and while they have the root certificates available for download (which I did, as well as inadvertently installing them into my browser, where they probably already were anyway) the only instructions I saw in their "Linux" docs department, on how/where to use/put them, were for a couple RH based distros, and some other distro I'm not using.

I checked the Xchat website and had a somewhat semi-thorough look around their user forum, but didn't find what I need there either.

The openssl man page (yes, it's installed) doesn't tell me what I want, and xchat doesn't even *have* a man page.

An LQ search turns up a few off-topic threads, mainly several years old and with very little in the way of replies.

Argh! This ought to be easy :/ and I bet it is easy, with the right documentation in front of me.

This is Slackware 13-64/-current. I've got /etc/ssl/certs folder, with nothing in it; and I have an /etc/ssl/openssl.cnf file which *appears* to be intended for using SSL on my own server (don't want that).

In case it helps, here's what the server tells me when I have enabled SSL and try to connect:

Code:
[15:47] * * Certification info:
[15:47] *   Subject:
[15:47] *     CN=irc.twice-irc.de
[15:47] *   Issuer:
[15:47] *     O=CAcert Inc.
[15:47] *     OU=http:
[15:47] *     
[15:47] *     www.CAcert.org
[15:47] *     CN=CAcert Class 3 Root
[15:47] *   Public key algorithm: rsaEncryption (4096 bits)
[15:47] *   Sign algorithm sha1WithRSAEncryption
[15:47] *   Valid since Jun 13 14:38:18 2008 GMT to Jun 13 14:38:18 2010 GMT
[15:47] * * Cipher info:
[15:47] *   Version: TLSv1/SSLv3, cipher AES256-SHA (256 bits)
[15:47] * Connection failed. Error: unable to get local issuer certificate.? (20)
Can someone point me to a decent link/tutorial about how to connect by IRC, (using Xchat if that matters), and have it find my SSL certs and/or where/how I get the CA root certificates in the right location for this to work??

Thank you

Sasha
 
Old 03-19-2010, 03:06 PM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
This one for MIXXnet seems to indicate you need the cert from the specific server/service you are connecting to.
http://www.mixxnet.net/wiki/index.ph...CA_Certificate

But it does show the correct way to link it, so you could get the cert you already downloaded and use that.

Last edited by smoker; 03-19-2010 at 03:09 PM.
 
Old 03-19-2010, 04:01 PM   #3
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Original Poster
Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Well, I spoke to the admin of the IRC server in question, and he told me that I should have been able to download the class-1 and class-3 keys from CAcert here: http://www.cacert.org/index.php?id=3 and put them into /etc/ssl/certs and close my Xchat client, then run this command:

Code:
shell# c_rehash
The above command gave me feedback indicating it was doing what it was expected to do.
Then, I restart the Xchat, and all would work as planned. But it did not, for some reason.

I have since checked the box labeled "ignore invalid certs" so I can at least connect using SSL, but without verifying the provided certs.

So, still interested in why it isn't working as expected, but is not a big panic -- just annoying not knowing why something so seemingly simple, is not working.

Thanks for that feedback smoker; I poked around to see if there were specific certs downloadable from that IRC server network I'm using, but apparently not.

Sasha
 
Old 03-19-2010, 04:22 PM   #4
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
The main point from the link I gave was this :
Quote:
Once the CA cert is moved to that directory, make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:

ln -s mixxnet.crt 6730e552.0

Tip: The filename above was derived from the command: $ openssl x509 -in mixxnet.crt -noout -hash
So whatever you called those certs you downloaded (you did download as text ?) use in that command and then make the symlink.

Last edited by smoker; 03-19-2010 at 04:23 PM.
 
Old 03-19-2010, 04:49 PM   #5
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Original Poster
Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Smoker, thanks again, for the further input!

I did indeed download the text .crt versions of the files, and went and did the above command and symlinked them accordingly. But still no go; same error(s) upon trying to connect.

Seems logical that this would work, *if* I were downloading/using a cert file specific to this server, rather than the root certs from CAcert itself. But as mentioned, there's apparently no such cert to be had.

Sasha

EDIT: interestingly, when/if I execute the `c_rehash` command given me by the server admin, it deletes the symlinks.. I'll try again (again!) next time I disconnect.

Last edited by GrapefruiTgirl; 03-19-2010 at 04:51 PM.
 
Old 03-19-2010, 04:59 PM   #6
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
It shouldn't matter where the certs came from, but
Quote:
make a symlink with the cert's fingerprint and ".0" appended at the end so that OpenSSL can properly detect the certificate:
makes it seem as if openssl won't detect the cert at all otherwise.
 
Old 03-19-2010, 06:00 PM   #7
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Original Poster
Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
I agree, kinda strange. I used the .0 suffix, and the command as given, but still no go. And yes, seems rather dumb to think that openssl would *like* the added suffix -- I would like to believe it is clever enough to identify a cert in its own preordained directory, without some suffix added.

Maybe I'll try doing the symlinking, but OMIT the .0 suffix, and see what it thinks of that.

I am going to have a look through my ~/.mozilla folder (for the heck of it -- humor me ) and see if I can figure out where & how the certs are stored for use by FF. Worst case scenario: I'll learn nothing :/

Sasha
 
Old 12-31-2010, 04:11 PM   #8
phizman
LQ Newbie
 
Registered: Dec 2010
Location: Canada
Posts: 2

Rep: Reputation: 0
Maybe not the most proper, but works for me. Path is for FC12, but just change it for wherever your distro's ca-bundle.crt is.

openssl x509 -in <yourCA>.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
 
Old 04-03-2011, 06:47 AM   #9
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 534
Blog Entries: 3

Rep: Reputation: 118Reputation: 118
Angry Not alone in this issue - Any solutions yet????

Quote:
Originally Posted by GrapefruiTgirl View Post
Well, I spoke to the admin of the IRC server in question, and he told me that I should have been able to download the class-1 and class-3 keys from CAcert here: http://www.cacert.org/index.php?id=3 and put them into /etc/ssl/certs and close my Xchat client, then run this command:

Code:
shell# c_rehash
The above command gave me feedback indicating it was doing what it was expected to do.
Then, I restart the Xchat, and all would work as planned. But it did not, for some reason.

I have since checked the box labeled "ignore invalid certs" so I can at least connect using SSL, but without verifying the provided certs.
I've checked that box too...


Quote:
Originally Posted by GrapefruiTgirl View Post
So, still interested in why it isn't working as expected, but is not a big panic -- just annoying not knowing why something so seemingly simple, is not working.
What is the status of this issue? I'm in the same conundrum, although I have some additional information...

I can connect to the IRC Network[s] in question from KvIRC or Irssi w/SSL no problem, while I can't with Xchat (any longer - I used to be able to).

Some IRC networks I can connect to via SSL in Xchat, but not all - Freenode is one of the networks I can't connect to via SSL with Xchat.

Any luck with this? Does anyone have any additional input?

Thanks,

.
 
Old 04-05-2011, 09:54 AM   #10
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 534
Blog Entries: 3

Rep: Reputation: 118Reputation: 118
Lightbulb Possible solution here for the next poor soul...

Well Sasha,

I *think* I have an explanation.

From the thread HERE, I gleaned what I needed to do and then...

Looks like we have a solution

I'll leave the actual reasons why XChat exhibits this particular behavior to whomever takes the time to read that thread, although it didn't seem to be a problem for KvIRC, WeeChat, or Irssi - all of which connected to Freenode and elsewhere "+X" without issue (for me anyway).

Here's the long of it: http://www.andrews-corner.org/irssi.html

And once I read that, I simply did:

Code:
# wget http://slackware.osuosl.org/slackware64-current/slackware64/n/ca-certificates-20090814-noarch-1.txz
# installpkg ca-certificates-20090814-noarch-1.txz
And I was done

Thanks to Robby too for pointing out to me that the package now lives in -current (Slackware64 13.37 RC3.1415926... LOL!)

I hope this helps the next somebody that comes along with this problem.

Kindest regards,

.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssl certificate nagavinodh Linux - Newbie 1 11-05-2009 07:43 AM
Apache ssl and client certificate authentication leno681 Linux - Server 0 09-10-2008 08:11 AM
ssl using server and client certificate. Which key used for encryption? lievendp Linux - Security 2 12-07-2006 06:22 AM
SSL Certificate The_JinJ Linux - General 1 03-21-2005 11:46 PM
xchat & ssl, help! patroche Linux - Software 0 06-14-2002 11:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration