TLS Handshake error when attempting to connect to perl irc with ssl #718
Comments
|
Executing > openssl s_client -connect ssl.irc.perl.org:7062returns Connecting to 2600:3c00::f03c:91ff:fedb:bf01
CONNECTED(00000003)
depth=0 C=US, ST=Virginia, L=Reston, O=MAGnet, CN=ssl.irc.perl.org
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=Virginia, L=Reston, O=MAGnet, CN=ssl.irc.perl.org
verify return:1
---
Certificate chain
0 s:C=US, ST=Virginia, L=Reston, O=MAGnet, CN=ssl.irc.perl.org
i:C=US, ST=Virginia, L=Reston, O=MAGnet, CN=ssl.irc.perl.org
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Nov 7 21:44:17 2016 GMT; NotAfter: Nov 5 21:44:17 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIJAPHPDY0YWTotMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
BAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UEBxMGUmVzdG9uMQ8wDQYD
VQQKEwZNQUduZXQxGTAXBgNVBAMTEHNzbC5pcmMucGVybC5vcmcwHhcNMTYxMTA3
MjE0NDE3WhcNMjYxMTA1MjE0NDE3WjBdMQswCQYDVQQGEwJVUzERMA8GA1UECBMI
VmlyZ2luaWExDzANBgNVBAcTBlJlc3RvbjEPMA0GA1UEChMGTUFHbmV0MRkwFwYD
VQQDExBzc2wuaXJjLnBlcmwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwNQTHnNtOgPGnLW7qONJIImiC8arhPe9mA2RplG7nzO1HjhzVBBdd6wC
U4p9ypsKtBDHAsLLcgul1JBNDGfTW6GOLpKOLDmk80MNEJbZnjmR9YIMTHXL6DBq
Am601BeQvQHaxBObHXw70CauaUtQkEGZn6b6MnF4Qh4ZgnYklZBIfm7MR8KuHj2o
wpvFHltcFbXAbtHbN+CIzi73hp29FAtYF5TrhddepfkxkHfz0AIxy9QX9TqFeaoA
rd9mCVmAzyH5s4zA8/g3KbkwN+U2N97A6aAGlZz9O1hciNUryY1Gn8pY4qOlrizJ
o6N+YU6zxsjZ7palhCba5AT1qid6AQIDAQABo4HCMIG/MB0GA1UdDgQWBBRGRSnb
x5sr4z10vTeakEDn+hf81jCBjwYDVR0jBIGHMIGEgBRGRSnbx5sr4z10vTeakEDn
+hf81qFhpF8wXTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYD
VQQHEwZSZXN0b24xDzANBgNVBAoTBk1BR25ldDEZMBcGA1UEAxMQc3NsLmlyYy5w
ZXJsLm9yZ4IJAPHPDY0YWTotMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBAC12PrtWu40eeGJ7JhNo/YBygpfgwZB/yZRmv0k40iOSyaFjD0dhvqIVpj8p
gWkcodlwjdLqDqwiKS6PORC2s1x8CuYnn46foVRBwnr/na6mEHmNkkLqZfW+K30V
G4SgtO6RnZtW6ZJkv9ZS46p2pmXZJtCbAeJE2zUfA/vslmzNf6nVyj9c1lcvrEoz
Hrqqj1FmWzoj3xuLwoq8YxoNO1WNdd+P3lBLwhC/Jjv7fZWIlI3w5cQIs5FVRPgW
JQ+E/DfpBVoxphT7vwMErTQXwAjjHC0l39WdyVLuGayutfEc7xqCG5VETSKMXNFe
szDO33JbZVJVPm1o6OHddynF2XE=
-----END CERTIFICATE-----
subject=C=US, ST=Virginia, L=Reston, O=MAGnet, CN=ssl.irc.perl.org
issuer=C=US, ST=Virginia, L=Reston, O=MAGnet, CN=ssl.irc.perl.org
---
No client certificate CA names sent
---
SSL handshake has read 1352 bytes and written 645 bytes
Verification error: self-signed certificate
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 14B5185FB7E51A9CEEE9F2DC5133F14ECFA1C96E1EF7535F04E53E0EC4291A44
Session-ID-ctx:
Master-Key: 10DB45E7A10E6245D8B43CE59EE9FF78C3A27A5CA57FA596D2D1208C43D942A13F540ACC67572D4D88D309614AF039DA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d1 04 dd da 21 df 7d 44-0e 1b b8 d7 d7 7e fb a9 ....!.}D.....~..
0010 - 82 7b bd b0 17 98 7d d1-24 53 94 b7 67 0d 69 ec .{....}.$S..g.i.
0020 - b8 ca 8e c8 08 60 a8 5c-da 66 1c 7e c0 39 28 be .....`.\.f.~.9(.
0030 - f6 4f de 93 99 85 bc 44-22 8e 6f 81 e7 27 0a e1 .O.....D".o..'..
0040 - f7 ca f4 47 1c c6 2a 32-77 1e 31 7d 15 55 49 ca ...G..*2w.1}.UI.
0050 - b6 50 04 89 24 05 a4 c1-65 0b 37 24 d3 fa b1 20 .P..$...e.7$...
0060 - ca bc 78 17 f4 18 8c 7c-c9 44 81 0f c9 66 f0 9a ..x....|.D...f..
0070 - d7 1f 37 f5 1a ee 37 d9-75 8f 71 14 b4 3b 42 80 ..7...7.u.q..;B.
0080 - 06 5c ee 62 56 48 78 60-6d f2 c8 95 f3 14 d8 36 .\.bVHx`m......6
0090 - e0 6a f7 90 2f 8d 38 ab-87 77 0e bb ab dc a7 30 .j../.8..w.....0
00a0 - 16 6d 2a 32 6b 31 c4 c2-f6 4e fc 22 c5 97 38 ea .m*2k1...N."..8.
Start Time: 1737460720
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
---indicating they using a self-signed certificate. Update your Halloy config with this flag: https://halloy.squidowl.org/configuration/servers/index.html#dangerously_accept_invalid_certs Should fix it. Beware of the implications, which could be
regards |
|
@jscarty It's working? Give us some feedback please. tyvm |
[servers.perl]
nickname = "halloyfoobar"
server = "ssl.irc.perl.org"
port = 7062
channels = ["#catalyst"]
dangerously_accept_invalid_certs = trueThis isn't working for me. I feel like theres a few (older) servers who are not always compatible, perhaps because we use a too new TLS version or something. |
|
Well, I could have tested it myself ;-) openssl s_client -connect ssl.irc.perl.org:7062 -cipher "ECDHE, EECDH"
openssl s_client -connect ssl.irc.perl.org:7062 -cipher "DHE, EDH"in both cases you will get an TLS alert handshake failure. AFAIK: Not supporting PFS means vulnerable to man-in-the-middle attacks. Therefore it is not supported (anymore). tokio_rustls not supporting it (exactly not supported by rustls: https://docs.rs/rustls/latest/rustls/manual/_02_tls_vulnerabilities/index.html#cbc-mac-then-encrypt-ciphersuites). So it could not (and should not) be fixed in Halloy. ;-) regards |
Sorry! Had a busy week and hadn't had a chance to give it another try. Thanks for the answer (regarding fixing it) |
I'm having trouble connecting to perls irc server with ssl. I'm using the configuration below
[servers.perl]nickname = "HarryF".server = "ssl.irc.perl.org"port = 7062channels = ["#catalyst"]I get an error stating
connection to server failed (a TLS error occured: io error: received fatal alert: HandshakeFailure)Asking on IRC casperstorm suggested it may be due to an older version of tls that's not longer supported.
The text was updated successfully, but these errors were encountered: