4

Using WeeChat through the terminal (on Arch Linux), I can connect to Freenode's server with SSL. No problem there.

But if I try to connect to some IRC servers using SSL (e.g. ircs.overthewire.org), WeeChat gives the following errors:

gnutls: peer's certificate is NOT trusted
gnutls: peer's certificate issuer is unknown
irc: TLS handshake failed
irc: error: Error in the certificate.

Connecting to such servers with SSL only works if I do the following, as per the advice on WeeChat's FAQ:

/set irc.server.example.ssl_verify off

However, the same FAQ says that I should be careful, as this makes it less secure.

Is this something I can fix at all, or is it an issue I have to live with for some IRC servers?

Nadim Hussami
  • 143

1 Answers1

4

TLS/SSL works the same way here as it does with HTTPS in web browsers. If the server's certificate is valid, you can access the website – if it isn't, you get a scary warning from the browser (client), because it has no way of knowing whether the validation failure is the result of the server being impersonated, or whether it's harmless misconfiguration on the admin's site.

(And unfortunately, most IRC server operators do not care about keeping their TLS certificates up-to-date – or indeed even obtaining valid ones in the first place.)

In this case, ircs.overthewire.org:6697 has a TLS certificate that at least used to be valid, but its issuer (StartCom Ltd.) is no longer trusted by most systems due to various misissuances. You get the message "issuer is unknown" because your OS no longer has the StartCom root CA certificate installed.

You have two options:

  • Instead of using CA-based validation, tell Weechat to accept this specific certificate because you've validated it using another method. (Basically the method used by SSH.) To do this, set the option irc.server.example.ssl_fingerprint to the certificate's SHA-256 fingerprint (or the less secure SHA-1).

    The fingerprints of the certificate currently offered by the server are:

    sha1   = 540fbfe14671915ee939b3a78b8ce52bf45c8e85
sha256 = 5916acbdfff8e1474402c75ccba2858c23e93348607d122e4f3106cbed6ab1ff

    This will work until the server operators change the certificate, at which point you'll have to either update the option with new fingerprints, or try your luck at using ssl_verify = on again.

  • Not recommended: Download the StartCom root CA and mark it as trusted in your OS (or at least in Weechat).

grawity
  • 501,077