#64 ZNC self-signed ssl certs have no issuer

closed-fixed
Psychon
Engine (43)
5
2010-02-18
2009-09-10
Efreak
No

My IRC client (jIRCii) comes up with this error when I try to connect to znc using ssl:

[7:33pm] *** Disconnected from bnc.efreakbnc.net: Empty issuer DN not allowed in X509Certificates

there's a solution posted at the end of THIS page: http://trac.drftpd.org/ticket/202

Discussion

  • Psychon
    Psychon
    2009-09-10

    Just a quick note:
    That link doesn't help. the -issuer option just changes the output on the terminal, but it has no effect on the generates certificate. Certificates generates with CreatePem.sh always have an issuer.

    The problem is that the code in ZNC to generate certificates (znc --makepem and --makeconf) generates an empty issuer DN. I'm looking for a fix, but I don't really understand that code at all.

    psychom

     
  • Efreak
    Efreak
    2009-09-11

    I'm pretty sure it does SOMETHING, though I'm not sure what, because I cant connect with the certificate generated by the original script, but I can when I generate it with the changed script. Maybe it just sticks something else in there?

     
  • Efreak
    Efreak
    2009-09-11

    I don't know any way to view the info contained by a ssl certificate other than using firefox (options options -> advanced -> encryption -> view certificates -> import -> view certificate, then cancel)
    When I view the original certificate, it pops up with an error, "This is not a certificate authority certificate so it cannot be imported into the certificate authority list" and refuses to even show me the contents.
    When I view the new one, it shows everything just the way I input it.

     
  • Efreak
    Efreak
    2009-09-11

    • labels: --> Engine
     
  • Efreak
    Efreak
    2009-09-11

    According to "openssl x509 -in ~/.znc/znc.pem -noout -text", showing the new certificate from the modified script:

    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    ba:50:d2:d9:53:95:54:66
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, ST=California, L=West Hills, O=EfreakBNC, OU=Bouncer, CN=efreakbnc.net/emailAddress=efreak@efreakbnc.net
    Validity
    Not Before: Sep 10 02:34:50 2009 GMT
    Not After : Sep 10 02:34:50 2010 GMT
    Subject: C=US, ST=California, L=West Hills, O=EfreakBNC, OU=Bouncer, CN=efreakbnc.net/emailAddress=efreak@efreakbnc.net
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
    Modulus (512 bit):
    00:d2:6f:e3:50:f7:15:6e:d5:b0:96:ea:cb:73:ab:
    42:1a:ae:21:92:b0:fc:8b:9d:f4:1b:8f:fc:bd:32:
    8f:a2:77:4a:9f:30:06:f3:56:28:a9:d2:11:99:f5:
    3a:ed:b8:b1:3f:4c:05:7b:19:81:5f:25:fd:fd:da:
    dc:3c:26:bb:6b
    Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    4a:71:3d:84:4d:c4:2f:c9:b1:1d:8f:e8:03:37:71:ec:23:a5:
    4b:d2:ae:56:0b:5e:8d:bc:e3:1d:06:3a:b6:dc:6d:19:ca:f6:
    b9:c1:0e:9b:ff:c6:85:6a:34:36:2f:b0:15:e4:82:8f:3c:e4:
    87:55:4e:e2:64:82:35:fb:c7:49

    According to "openssl x509 -in ~/.znc/znc.pem.bak -noout -text", showing the old certificate from the unmodified script:

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 860 (0x35c)
    Signature Algorithm: md5WithRSAEncryption
    Issuer:
    Validity
    Not Before: Jul 12 21:28:45 2009 GMT
    Not After : Jul 12 21:28:45 2010 GMT
    Subject: C=US, ST=SomeState, L=SomeCity, O=SomeCompany, OU=efreak, CN=efreakbnc.net/emailAddress=efreak@efreakbnc.net
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
    Modulus (1024 bit):
    00:f8:d2:31:f1:93:d5:68:3c:67:1b:ee:e7:6c:da:
    0e:7e:2b:f5:3d:fc:68:3d:95:eb:8c:f3:2b:bd:6e:
    68:e9:f5:44:8c:d6:bf:12:27:1f:89:2c:08:f5:d1:
    32:32:a3:f5:62:32:b2:f4:fc:83:40:3e:3b:1e:10:
    b6:89:45:18:8a:d7:db:ef:13:84:51:fd:ec:50:c0:
    37:82:60:c6:3e:3a:08:85:f7:f1:12:61:9a:47:69:
    75:2f:99:d2:12:c7:62:03:8d:ac:c6:12:42:16:55:
    fc:fd:1c:82:f4:92:9a:fe:e5:00:da:bd:7f:dd:da:
    85:c4:70:19:95:56:bc:5b:75
    Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
    d3:11:5b:a1:63:2e:8f:29:19:19:91:1b:16:1e:5f:17:71:27:
    8f:1a:bf:db:b3:5a:7c:b1:08:e4:a8:a8:8a:e6:96:15:9a:69:
    25:32:c5:58:9d:8c:37:fc:86:b4:9c:01:a9:7d:52:ef:e2:43:
    bd:f6:82:ca:47:73:80:c9:1f:7a:38:c6:7e:90:29:e7:3d:ce:
    a5:84:b3:0c:08:8d:74:96:33:f1:86:03:d8:23:5b:58:29:a5:
    91:b2:0c:35:8e:d8:3f:ff:12:1c:14:20:68:01:0a:3f:9e:dc:
    78:cd:07:6f:a7:c8:32:45:33:ff:6c:6f:7c:a2:88:d3:f6:50:
    dc:a8

     
  • Psychon
    Psychon
    2009-09-11

    You are doing something weird... I'm pretty sure -issuer shouldn't change the hash being used.

    Anyway, I created two certificates, one with the original CreatePem.sh and one with the modified version and compares ther text dump (I just pressed enter on all questions from CreatePem.sh). As you see, none of the "real" info is different (and both have "Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd").

    So at least I don't see why CreatePem.sh should be changed, but the "znc --makepem" code still needs some tweaking, since that creates empty issuers for sure.

    --- orig.txt 2009-09-11 11:19:11.494603286 +0200
    +++ new.txt 2009-09-11 11:19:18.406626961 +0200
    @@ -2,25 +2,25 @@ Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    - a0:28:e4:b1:d2:64:99:73
    + d5:9b:dc:29:53:bd:e4:6c
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
    Validity
    - Not Before: Sep 11 09:18:19 2009 GMT
    - Not After : Sep 11 09:18:19 2010 GMT
    + Not Before: Sep 11 09:18:43 2009 GMT
    + Not After : Sep 11 09:18:43 2010 GMT
    Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
    Modulus (512 bit):
    - 00:b7:5f:d1:02:89:38:96:15:23:e1:bf:ad:fb:f7:
    - 54:b6:60:fa:5d:0f:9a:1f:7a:05:e3:08:e3:cf:5a:
    - 88:a3:36:9f:fc:c4:cd:ab:01:b7:e0:fe:84:50:8c:
    - 63:bf:1d:1e:7b:b9:5d:29:87:9c:86:a1:6f:cf:2c:
    - fc:31:75:21:65
    + 00:c4:92:f0:03:de:b7:eb:76:b4:25:61:29:91:69:
    + a6:35:e1:77:cd:98:86:13:e7:d2:3d:b4:00:da:5c:
    + 3a:db:68:4f:b2:41:16:58:bf:91:d8:af:96:24:b6:
    + a4:c5:be:0f:8e:01:19:54:8f:17:74:a4:15:4c:26:
    + 0d:de:55:b6:69
    Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    - 58:0e:52:e1:2d:82:cd:cb:cf:d9:7c:c7:fa:9d:11:47:bd:2e:
    - e1:cd:32:87:b1:46:44:8f:c6:3c:be:27:0e:ce:0f:dc:7b:7e:
    - 4b:fa:c8:65:32:af:bb:2b:84:f2:5e:db:d9:c3:b6:26:6f:38:
    - 28:25:4f:74:50:4f:17:ca:43:e0
    + 9d:95:95:08:05:9b:89:cd:c8:52:20:c1:c6:9d:e8:ef:08:f2:
    + 2a:7f:9f:b8:3f:d2:21:50:89:a5:ef:aa:72:fe:bc:e4:c5:cf:
    + 30:27:0e:95:f6:43:eb:1f:7d:dc:34:c5:6f:6c:fc:a3:24:be:
    + 0a:69:b1:6c:3a:d8:e1:69:67:ab

     
  • Psychon
    Psychon
    2009-09-11

    Ok, could you try something for me? Apply the attached patch to ZNC, compile that znc, generate a new certificate with ./znc --makepem and test that certificate? According to openssl's output this gives the certificate an issuer. No idea why this is that important, but meh...

    psychon

     
  • Psychon
    Psychon
    2009-09-11

    Make znc --makepem set issuer == subject

     
    Attachments
  • Sorry it took so long:

    patching file Utils.cpp
    Hunk #1 FAILED at 99.
    1 out of 1 hunk FAILED -- saving rejects to file Utils.cpp.rej

     
  • Psychon
    Psychon
    2009-12-20

    Patch applies quite fine here.

     
  • Psychon
    Psychon
    2010-02-03

    Could you check if r1732 fixes this for you? (I just comitted the attached patch to znc)

     
  • Psychon
    Psychon
    2010-02-03

    • assigned_to: nobody --> psychon
    • status: open --> pending-fixed
     
    • status: pending-fixed --> closed-fixed
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).