FS#25676 - [weechat] SSL broken by gnutls 3.0.0
Attached to Project:
Arch Linux
Opened by Sven-Hendrik Haase (Svenstaro) - Friday, 19 August 2011, 13:00 GMT
Last edited by Andrea Scarpino (BaSh) - Thursday, 25 August 2011, 08:52 GMT
Opened by Sven-Hendrik Haase (Svenstaro) - Friday, 19 August 2011, 13:00 GMT
Last edited by Andrea Scarpino (BaSh) - Thursday, 25 August 2011, 08:52 GMT
|
Details
gnutls 3.0.0 breaks weechat ssl connections.
Log: http://dpaste.org/sy8E/ Works in all versions before gnutls 3.0.0. weechat upstream is aware of this but has no time to look into this issue. A temporary solution is to downgrade gnutls or set ss_verify to "off" in weechat settings. |
This task depends upon
Closed by Andrea Scarpino (BaSh)
Thursday, 25 August 2011, 08:52 GMT
Reason for closing: Not a bug
Additional comments about closing: see comments
Thursday, 25 August 2011, 08:52 GMT
Reason for closing: Not a bug
Additional comments about closing: see comments
I'm on weechat 0.3.5-3 gnutls 3.0.1-1 and I can safely connect to oftc via ssl > http://dpaste.org/tqiu/
weechat 0.3.5-3
I cannot reproduce the bug:
- connection to irc.oftc.net:9999 (ssl) works
- I can connect to chat.freenode.net:6697 (ssl), but I have to set irc.server.chat.freenode.net.ssl_dhkey_size to 1024, else it fails with:
irc: error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
irc: you should play with option irc.server.chat.freenode.net.ssl_dhkey_size (current value is 2048)
Can anyone give further information about this?
I already have ssl_dhkey_size set to 1024 for freenode connection, and it does not work.
Assure you have ssl_verify to on and please paste a connection log.
[1] http://www.weechat.org/files/doc/weechat_faq.en.html#irc_ssl_freenode
forcedly set on "/etc/ssl/certs/ca-certificates.crt" to work with freenode now.
I had it on default "%h/ssl/CAs.pem" with certificates in my ~/.weechat/ssl/CAs.pem
as described in the weechat FAQ, and it always worked before.
This can be considered solved by setting gnutls_ca_file with
/set weechat.network.gnutls_ca_file "/etc/ssl/certs/ca-certificates.crt"
Since http://crt.gandi.net/GandiStandardSSLCA.crt seems to not work anymore,
i wonder if this certificate is still valid or the crt have to generated in
a different way now or what else.