#64 ZNC self-signed ssl certs have no issuer

closed-fixed
Psychon
Engine (43)
5
2010-02-18
2009-09-10
Efreak
No

My IRC client (jIRCii) comes up with this error when I try to connect to znc using ssl:

[7:33pm] *** Disconnected from bnc.efreakbnc.net: Empty issuer DN not allowed in X509Certificates

there's a solution posted at the end of THIS page: http://trac.drftpd.org/ticket/202

Discussion

  • Psychon

    Psychon - 2009-09-10

    Just a quick note:
    That link doesn't help. the -issuer option just changes the output on the terminal, but it has no effect on the generates certificate. Certificates generates with CreatePem.sh always have an issuer.

    The problem is that the code in ZNC to generate certificates (znc --makepem and --makeconf) generates an empty issuer DN. I'm looking for a fix, but I don't really understand that code at all.

    psychom

     
  • Efreak

    Efreak - 2009-09-11

    I'm pretty sure it does SOMETHING, though I'm not sure what, because I cant connect with the certificate generated by the original script, but I can when I generate it with the changed script. Maybe it just sticks something else in there?

     
  • Efreak

    Efreak - 2009-09-11

    I don't know any way to view the info contained by a ssl certificate other than using firefox (options options -> advanced -> encryption -> view certificates -> import -> view certificate, then cancel)
    When I view the original certificate, it pops up with an error, "This is not a certificate authority certificate so it cannot be imported into the certificate authority list" and refuses to even show me the contents.
    When I view the new one, it shows everything just the way I input it.

     
  • Efreak

    Efreak - 2009-09-11
    • labels: --> Engine
     
  • Efreak

    Efreak - 2009-09-11

    According to "openssl x509 -in ~/.znc/znc.pem -noout -text", showing the new certificate from the modified script:

    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    ba:50:d2:d9:53:95:54:66
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, ST=California, L=West Hills, O=EfreakBNC, OU=Bouncer, CN=efreakbnc.net/emailAddress=efreak@efreakbnc.net
    Validity
    Not Before: Sep 10 02:34:50 2009 GMT
    Not After : Sep 10 02:34:50 2010 GMT
    Subject: C=US, ST=California, L=West Hills, O=EfreakBNC, OU=Bouncer, CN=efreakbnc.net/emailAddress=efreak@efreakbnc.net
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
    Modulus (512 bit):
    00:d2:6f:e3:50:f7:15:6e:d5:b0:96:ea:cb:73:ab:
    42:1a:ae:21:92:b0:fc:8b:9d:f4:1b:8f:fc:bd:32:
    8f:a2:77:4a:9f:30:06:f3:56:28:a9:d2:11:99:f5:
    3a:ed:b8:b1:3f:4c:05:7b:19:81:5f:25:fd:fd:da:
    dc:3c:26:bb:6b
    Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    4a:71:3d:84:4d:c4:2f:c9:b1:1d:8f:e8:03:37:71:ec:23:a5:
    4b:d2:ae:56:0b:5e:8d:bc:e3:1d:06:3a:b6:dc:6d:19:ca:f6:
    b9:c1:0e:9b:ff:c6:85:6a:34:36:2f:b0:15:e4:82:8f:3c:e4:
    87:55:4e:e2:64:82:35:fb:c7:49

    According to "openssl x509 -in ~/.znc/znc.pem.bak -noout -text", showing the old certificate from the unmodified script:

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 860 (0x35c)
    Signature Algorithm: md5WithRSAEncryption
    Issuer:
    Validity
    Not Before: Jul 12 21:28:45 2009 GMT
    Not After : Jul 12 21:28:45 2010 GMT
    Subject: C=US, ST=SomeState, L=SomeCity, O=SomeCompany, OU=efreak, CN=efreakbnc.net/emailAddress=efreak@efreakbnc.net
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
    Modulus (1024 bit):
    00:f8:d2:31:f1:93:d5:68:3c:67:1b:ee:e7:6c:da:
    0e:7e:2b:f5:3d:fc:68:3d:95:eb:8c:f3:2b:bd:6e:
    68:e9:f5:44:8c:d6:bf:12:27:1f:89:2c:08:f5:d1:
    32:32:a3:f5:62:32:b2:f4:fc:83:40:3e:3b:1e:10:
    b6:89:45:18:8a:d7:db:ef:13:84:51:fd:ec:50:c0:
    37:82:60:c6:3e:3a:08:85:f7:f1:12:61:9a:47:69:
    75:2f:99:d2:12:c7:62:03:8d:ac:c6:12:42:16:55:
    fc:fd:1c:82:f4:92:9a:fe:e5:00:da:bd:7f:dd:da:
    85:c4:70:19:95:56:bc:5b:75
    Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
    d3:11:5b:a1:63:2e:8f:29:19:19:91:1b:16:1e:5f:17:71:27:
    8f:1a:bf:db:b3:5a:7c:b1:08:e4:a8:a8:8a:e6:96:15:9a:69:
    25:32:c5:58:9d:8c:37:fc:86:b4:9c:01:a9:7d:52:ef:e2:43:
    bd:f6:82:ca:47:73:80:c9:1f:7a:38:c6:7e:90:29:e7:3d:ce:
    a5:84:b3:0c:08:8d:74:96:33:f1:86:03:d8:23:5b:58:29:a5:
    91:b2:0c:35:8e:d8:3f:ff:12:1c:14:20:68:01:0a:3f:9e:dc:
    78:cd:07:6f:a7:c8:32:45:33:ff:6c:6f:7c:a2:88:d3:f6:50:
    dc:a8

     
  • Psychon

    Psychon - 2009-09-11

    You are doing something weird... I'm pretty sure -issuer shouldn't change the hash being used.

    Anyway, I created two certificates, one with the original CreatePem.sh and one with the modified version and compares ther text dump (I just pressed enter on all questions from CreatePem.sh). As you see, none of the "real" info is different (and both have "Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd").

    So at least I don't see why CreatePem.sh should be changed, but the "znc --makepem" code still needs some tweaking, since that creates empty issuers for sure.

    --- orig.txt 2009-09-11 11:19:11.494603286 +0200
    +++ new.txt 2009-09-11 11:19:18.406626961 +0200
    @@ -2,25 +2,25 @@ Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    - a0:28:e4:b1:d2:64:99:73
    + d5:9b:dc:29:53:bd:e4:6c
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
    Validity
    - Not Before: Sep 11 09:18:19 2009 GMT
    - Not After : Sep 11 09:18:19 2010 GMT
    + Not Before: Sep 11 09:18:43 2009 GMT
    + Not After : Sep 11 09:18:43 2010 GMT
    Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (512 bit)
    Modulus (512 bit):
    - 00:b7:5f:d1:02:89:38:96:15:23:e1:bf:ad:fb:f7:
    - 54:b6:60:fa:5d:0f:9a:1f:7a:05:e3:08:e3:cf:5a:
    - 88:a3:36:9f:fc:c4:cd:ab:01:b7:e0:fe:84:50:8c:
    - 63:bf:1d:1e:7b:b9:5d:29:87:9c:86:a1:6f:cf:2c:
    - fc:31:75:21:65
    + 00:c4:92:f0:03:de:b7:eb:76:b4:25:61:29:91:69:
    + a6:35:e1:77:cd:98:86:13:e7:d2:3d:b4:00:da:5c:
    + 3a:db:68:4f:b2:41:16:58:bf:91:d8:af:96:24:b6:
    + a4:c5:be:0f:8e:01:19:54:8f:17:74:a4:15:4c:26:
    + 0d:de:55:b6:69
    Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    - 58:0e:52:e1:2d:82:cd:cb:cf:d9:7c:c7:fa:9d:11:47:bd:2e:
    - e1:cd:32:87:b1:46:44:8f:c6:3c:be:27:0e:ce:0f:dc:7b:7e:
    - 4b:fa:c8:65:32:af:bb:2b:84:f2:5e:db:d9:c3:b6:26:6f:38:
    - 28:25:4f:74:50:4f:17:ca:43:e0
    + 9d:95:95:08:05:9b:89:cd:c8:52:20:c1:c6:9d:e8:ef:08:f2:
    + 2a:7f:9f:b8:3f:d2:21:50:89:a5:ef:aa:72:fe:bc:e4:c5:cf:
    + 30:27:0e:95:f6:43:eb:1f:7d:dc:34:c5:6f:6c:fc:a3:24:be:
    + 0a:69:b1:6c:3a:d8:e1:69:67:ab

     
  • Psychon

    Psychon - 2009-09-11

    Ok, could you try something for me? Apply the attached patch to ZNC, compile that znc, generate a new certificate with ./znc --makepem and test that certificate? According to openssl's output this gives the certificate an issuer. No idea why this is that important, but meh...

    psychon

     
  • Psychon

    Psychon - 2009-09-11

    Make znc --makepem set issuer == subject

     
  • Nobody/Anonymous

    Sorry it took so long:

    patching file Utils.cpp
    Hunk #1 FAILED at 99.
    1 out of 1 hunk FAILED -- saving rejects to file Utils.cpp.rej

     
  • Psychon

    Psychon - 2009-12-20

    Patch applies quite fine here.

     
  • Psychon

    Psychon - 2010-02-03

    Could you check if r1732 fixes this for you? (I just comitted the attached patch to znc)

     
  • Psychon

    Psychon - 2010-02-03
    • assigned_to: nobody --> psychon
    • status: open --> pending-fixed
     
  • SourceForge Robot

    • status: pending-fixed --> closed-fixed
     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks