ngircd / xchat SSL issues

Question

I'm trying to setup a ngircd IRC server on Fedora 18 (which was installed using yum), but I'm having some SSL issues. I can connect to the server locally and remotely if I choose to "accept invalid SSL certificates", but get an error otherwise. Here is the XChat output when I try to connect to the IRC server locally:

* Connecting to {domain_name} ({ip_address}) port 6697...
* * Subject: /OU=Domain Control Validated/OU=PositiveSSL/CN={domain_name}
* * Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
* * Subject: /OU=Domain Control Validated/OU=PositiveSSL/CN={domain_name}
* * Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
* * Subject: /OU=Domain Control Validated/OU=PositiveSSL/CN={domain_name}
* * Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
* * Certification info:
*   Subject:
*     OU=Domain Control Validated
*     OU=PositiveSSL
*     CN={domain_name}
*   Issuer:
*     C=GB
*     ST=Greater Manchester
*     L=Salford
*     O=COMODO CA Limited
*     CN=PositiveSSL CA 2
*   Public key algorithm: rsaEncryption (2048 bits)
*   Sign algorithm sha1WithRSAEncryption
*   Valid since Nov  7 00:00:00 2012 GMT to Nov  7 23:59:59 2015 GMT
* * Cipher info:
*   Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits)
* Connection failed. Error: unable to verify the first certificate.? (21)

Here is the SSL portion of my ngircd.conf file. I ran ngircd --configtest to test the config file, but it just printed the contents of the file to my terminal.

[SSL]
  CertFile = /etc/pki/tls/certs/{domain_name}.crt
  DHFile = /etc/pki/tls/private/dhparams.pem
  KeyFile = /etc/pki/tls/private/{domain_name}.pem
  KeyFilePassword = {key_file_password}
  Ports = 6697

I've also tried to connect to the server remotely from a Windows 7 x64 machine using mIRC, but had issues there also.

I can't confirm it, but I think Fedora compiles ngircd with GnuTLS and I think my keys were created with OpenSSL. If this were so, would the keys be in a different format? How could I check and convert them?

Is it possible that this is a CA trust issue on both of my machines? If so, how/where can I add the CA root certificates in Fedora 18 and Windows 7 so I don't have this problem?

Are there any other possible causes? Is there's any other information that I should be providing?

score 0 · Answer 1 · answered Jun 15 '16 at 05:45

ngircd supports the directive:

[SSL]
CipherList = @SYSTEM

You also want to check the certificate you are using with:

openssl x509 -text -noout -in cert.pem

For Let's Encrypt, I used fullchain.pem and connected to ngircd over SSL on port 6697 with HexChat.

score 0 · Answer 2 · answered May 25 '20 at 05:59

In my case, the certfile had the certificates listed in the wrong order, and thus ngircd wouldn't start properly and clients gave connection errors, like:

Irssi: warning SSL handshake failed: Connection refused

After editing the certificates to be listed longest-first (aka. the rootmost CA last), the server started correctly and clients would connect.

ngircd / xchat SSL issues

2 Answers2