Project

General

Profile

Actions

Bug #3874

closed

SSL Certificate Warning isn't recording auto-accept

Added by Cassio Luz S. almost 6 years ago. Updated over 3 years ago.

Status:
Unconfirmed
Priority:
Normal
Assignee:
Category:
Interface
Target version:
Start date:
04/22/2018
Due date:
% Done:

0%

Estimated time:
Operative System:
All
Regression:
No

Description

If you want try connect to a server with the SSL Certificate Expired, it appears a dialog asking if you trust it
Optionally you may enable the option to automatically accept it, but AdiIRC doesn't record it.

It's odd, to be honest. The impression i am having is: Sometimes it records fine, sometimes not.

Actions #1

Updated by Per Amundsen almost 6 years ago

Are you using the 3.1 beta? It has a related fix.

If you are. you can try open config.ini and check the "[Certs]" section, there should be an entry based on the resolved hostname (Connecting to irc.network.com (xx.xx.xx.xx)).

Example entry:

irc.network.com,certificatehash

If the entry is there, compare the certificatehash with the "SHA1 fingerprint:" in the certificate popup dialog.

Keep in mind connecting to a round robin host containing multiple ip addresses, each individual server must be stored since they in most cases have different hostnames.

example:

irc.network.com points to
server1.network.com
server2.network.com
server3.network.com

AdiIRC must validate and save the certificate for each serverN.network.com independently since they are not the same server.

let me know if that helps, if not, I need to know the network where this happens so I can test myself.

Actions #2

Updated by Cassio Luz S. almost 6 years ago

Per Amundsen wrote:

Are you using the 3.1 beta? It has a related fix.

If you are. you can try open config.ini and check the "[Certs]" section, there should be an entry based on the resolved hostname (Connecting to irc.network.com (xx.xx.xx.xx)).

Example entry:

[...]

If the entry is there, compare the certificatehash with the "SHA1 fingerprint:" in the certificate popup dialog.

Keep in mind connecting to a round robin host containing multiple ip addresses, each individual server must be stored since they in most cases have different hostnames.

example:

irc.network.com points to
server1.network.com
server2.network.com
server3.network.com

AdiIRC must validate and save the certificate for each serverN.network.com independently since they are not the same server.

let me know if that helps, if not, I need to know the network where this happens so I can test myself.

I am using the most recent beta version.

The server that i am having the issue is: ceres.dk.eu.irchighway.net

Actually, i connect on IRCHighWay only using this server.

Not sure, but looks like AdiIRC only records the auto-accept if you reconnect on the server in your current session. If you close AdiIRC and re-open it, it will not have the auto-accept recorded.

Actions #3

Updated by Cassio Luz S. almost 6 years ago

I've just realized that even if i try connect directly to ceres.dk.eu.irchighway.net, it sometimes redirects me to a different server.

But today i got the lucky to connect on ceres.dk.eu.irchighway.net and i did the test you asked me.

Actually, the SHA1 Fingerprint on my config.ini for that server is different than the one shown on SSL Certificate Warning (for that server)

I will check if enabling the option does update that. But i am 90% convinced that: It doesn't update.

Actions #4

Updated by Per Amundsen almost 6 years ago

Try write that fingerprint down somewhere, the next time you connect to that specific server and see the dialog, compare the hash with the one you saved, then one in config.ini and the one in the dialog, it's possible that the certificate was changed/updated.

Actions #5

Updated by Cassio Luz S. almost 6 years ago

I didn't ignore this thread

Temporary i am not connecting on IRCHighWay often, but if i discover something, i will report.

By the way: i've only reported the issue after a long period dealing with it (the probability of a fingerprint change may exist, but i think the issue is a bit more complex than it looks like)

Actions #6

Updated by Per Amundsen over 5 years ago

I recently discovered that SNI domains in server certificates was not always validated correctly, this might be related to that.

Actions #7

Updated by Per Amundsen over 3 years ago

  • Category set to Interface
  • Status changed from New to Unconfirmed
  • Assignee set to Per Amundsen
Actions

Also available in: Atom PDF