weechat
gnutls: certificate has expired
Bug summary
When using the -ssl flag and connecting to a ssl port, the connection fails. I believe this is happening because one of the certs int the chain is expired. It looks like this was solved in gnutls here
Steps to reproduce
1. /server add w3c irc.w3.org/994 -ssl 2. /connect w3c
Current behavior
fails if one of the certs in the chain is expired
Expected behavior
handling cert-chain correctly and connecting
Suggested solutions
import fixes from gnutls
Additional information
Other clients not using gnutls seem to handle the cert chain correctly and connect. cert chains that do not have an expired cert, for example freenode work with gnutls and weechat.
- WeeChat version: github branch: yancyribbens:add-dockerfile
- OS, distribution and version: see dockerfile
If the fix was made in GnuTLS itself, is there something to do on WeeChat side? Just upgrading and using the new version of GnuTLS in WeeChat should be enough, no?
I did some more testing and I think it's a different issue then described here. For example:
-
apt-get install gnutls-bin -
gnutls-cli irc.w3.org:994
results in:
- Status: The certificate is trusted.
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed
Which is a different compared to the result in gitlab
Status: The certificate is NOT trusted. The certificate chain uses expired certificate. The signature in the certificate is invalid.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
Just to be sure, I tested using debian:unstable which includes a gnutls 3.6.13-4: https://packages.qa.debian.org/g/gnutls28/news/20200601T091851Z.html and had the same error.
same for me with weechat-3.1-dev and gnutls-3.6.15.
$ gnutls-cli chat.freenode.net:6697
Processed 129 CA certificate(s).
Resolving 'chat.freenode.net:6697'...
Connecting to '38.229.70.22:6697'...
But I got TLS handshake failed using the same server in weechat.
