FS#25676 - [weechat] SSL broken by gnutls 3.0.0

Attached to Project: Arch Linux
Opened by Sven-Hendrik Haase (Svenstaro) - Friday, 19 August 2011, 13:00 GMT
Last edited by Andrea Scarpino (BaSh) - Thursday, 25 August 2011, 08:52 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Giovanni Scafora (giovanni)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

gnutls 3.0.0 breaks weechat ssl connections.

Log: http://dpaste.org/sy8E/

Works in all versions before gnutls 3.0.0.

weechat upstream is aware of this but has no time to look into this issue.

A temporary solution is to downgrade gnutls or set ss_verify to "off" in weechat settings.
This task depends upon

Closed by  Andrea Scarpino (BaSh)
Thursday, 25 August 2011, 08:52 GMT
Reason for closing:  Not a bug
Additional comments about closing:  see comments
Comment by speps (archspeps) - Sunday, 21 August 2011, 17:28 GMT
Is this maybe a freenode related issue?
I'm on weechat 0.3.5-3 gnutls 3.0.1-1 and I can safely connect to oftc via ssl > http://dpaste.org/tqiu/
Comment by Jakob Matthes (jakobm) - Sunday, 21 August 2011, 18:12 GMT
gnutls 3.0.1-1
weechat 0.3.5-3

I cannot reproduce the bug:
- connection to irc.oftc.net:9999 (ssl) works
- I can connect to chat.freenode.net:6697 (ssl), but I have to set irc.server.chat.freenode.net.ssl_dhkey_size to 1024, else it fails with:
irc: error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
irc: you should play with option irc.server.chat.freenode.net.ssl_dhkey_size (current value is 2048)

Can anyone give further information about this?
Comment by speps (archspeps) - Sunday, 21 August 2011, 18:49 GMT
@jakobm What you're pointing is a well know practice for freenode [1]

I already have ssl_dhkey_size set to 1024 for freenode connection, and it does not work.
Assure you have ssl_verify to on and please paste a connection log.

[1] http://www.weechat.org/files/doc/weechat_faq.en.html#irc_ssl_freenode
Comment by Jakob Matthes (jakobm) - Sunday, 21 August 2011, 19:05 GMT
Thanks for the Freenode ssl reference, log is attached.
   weechat-connect-freenode-log (1.7 KiB)
Comment by speps (archspeps) - Sunday, 21 August 2011, 21:13 GMT
@jakobm Thanks, seems like weechat.network.gnutls_ca_file have to be
forcedly set on "/etc/ssl/certs/ca-certificates.crt" to work with freenode now.

I had it on default "%h/ssl/CAs.pem" with certificates in my ~/.weechat/ssl/CAs.pem
as described in the weechat FAQ, and it always worked before.

This can be considered solved by setting gnutls_ca_file with

/set weechat.network.gnutls_ca_file "/etc/ssl/certs/ca-certificates.crt"

Since http://crt.gandi.net/GandiStandardSSLCA.crt seems to not work anymore,
i wonder if this certificate is still valid or the crt have to generated in
a different way now or what else.

Loading...