Closed
Bug 626022
Opened 14 years ago
Closed 10 years ago
verify irc.m.o GeoTrust intermediate chaining for OS X clients
Categories
(Infrastructure & Operations Graveyard :: Infrastructure: IRC, task)
Infrastructure & Operations Graveyard
Infrastructure: IRC
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mnordhoff, Assigned: dparsons)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: The irc.mozilla.org IRC servers use a very fine SSL cert...but it's only valid for irc.mozilla.org, so if you configure your client to connect directly to one of the servers, there will be a mismatch. There are *.mozilla.org certs somewhere -- see https://www.mozilla.org/ -- or you could create a new irc.mozilla.org cert that includes some subjectAltNames. (I wonder how many obscure IRC clients are broken by either of those... [Freenode uses wildcards and irssi apparently supports subjectAltName.]) Reproducible: Always Steps to Reproduce: You can take a look at the cert in a browser by visiting https://sand.mozilla.org:6697/ or https://concrete.mozilla.org:6697/
|
||
Comment 1•14 years ago
|
||
I vote for wontfix on the grounds that users should be discouraged from specifically connecting to one of these servers because that breaks our ability to redirect them elsewhere via DNS in order to perform maintenance and so forth. Users smart enough to know they have a need to override our choice of server for them are probably also smart enough to tell their client to accept a mismatched certificate. If geographic location is a concern, we're planning to get these into geodns soon instead of a round-robin like they are currently.
|
|
||
Comment 2•14 years ago
|
||
(In reply to comment #1) > Users smart enough to know they have a need to override our choice of > server for them are probably also smart enough to tell their client to accept > a mismatched certificate. Or a smarter plan would be to put the node they desire into their hosts file with the irc.mozilla.org hostname (so then the cert could still validate).
|
Reporter | |
Comment 3•14 years ago
|
||
I don't disagree about discouraging users from bypassing the round-robin, but personally, I'm smart enough to know I'm asking for trouble when I do it, but not smart enough to know how to configure my IRC client to accept the hostname mismatch but otherwise require a valid cert. (I'm not using ChatZilla.) Using /etc/hosts works, I guess, but it's such a hack. I recall one occasion on which the server irc.mozilla.org pointed to was down, but one of the other servers was up. No doubt it was fixed shortly, but it makes me more comfortable to configure my IRC client to try the specific servers if irc.mozilla.org fails, and I'd prefer SSL to work without issue when that happens. It's really not worth your time and money to fix this, but it would make me a little happy. :P
|
||
Comment 4•13 years ago
|
||
I have X-Chat set to connect to irc.mozilla.org, but I get certificate failures. Is it that X-Chat follows the CNAME and compares the result against the name in the certificate? If so, is that incorrect behaviour? * Looking up irc.mozilla.org * Connecting to sand.mozilla.org (63.245.208.159) port 6697... * * Subject: /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA * * Subject: /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA * * Issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA * * Subject: /serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org * * Issuer: /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA * * Certification info: * Subject: * serialNumber=jJNoDeAj2XruggOCC * 9OznpNC * MoRdVu * C=US * ST=California * L=Mountain View * O=Mozilla Corporation * OU=Mozilla IT * CN=irc.mozilla.org * Issuer: * C=US * O=GeoTrust, Inc. * CN=GeoTrust SSL CA * Public key algorithm: rsaEncryption (2048 bits) * Public key algorithm uses ephemeral key with 7975 bits * Sign algorithm sha1WithRSAEncryption (0 bits) * Valid since May 13 08:04:38 2011 GMT to Aug 14 08:36:01 2013 GMT * * Cipher info: * Version: TLSv1/SSLv3, cipher AES256-SHA (256 bits) * Connection failed. Error: certificate not trusted.? (27)
We have, since 2011, resolved several issues with our IRC server certificates, and it's generally understood by us that as of last year or so, our IRC SSL certificates are correctly configured. If you're still experiencing issues with this, please reopen; otherwise I am marking this RESOLVED WORKSFORME based on widespread evidence.
Assignee: nobody → infra
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Component: Server Operations: Projects → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Resolution: --- → WORKSFORME
|
|
||
Comment 6•11 years ago
|
||
Just a couple of days ago, I looked again into why X-Chat had trouble verifying the IRC server certificate. I added GeoTrust to OS X's openssl's listed of trusted certificates and now I have no problem connecting.
Hmm. I'll reopen and take this. We might be serving the GeoTrust certificate incorrectly. What version of OS X are you using?
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
Summary: irc.mozilla.org SSL cert should be valid for {sand,gravel,concrete}.mozilla.org → verify irc.m.o GeoTrust intermediate chaining for OS X clients
|
|
||
Comment 8•11 years ago
|
||
10.9.2. I assumed that the openssl install that OS X has just doesn't include the GeoTrust certificate, although I don't know how to check that.
|
||
Comment 9•10 years ago
|
||
I think this problem is OSX specific, and not a problem with our SSL certificate on irc.m.o. According to a Apple KB article[1] SSL certificate management is handled by the users keychain, which may not be supported by X-Chat. I don't think X-Chat has native OSX support. It doesn't look like X-Chat is maintained. It hasn't had a release since 2010[2]. [1] http://support.apple.com/kb/PH10967 [2] http://xchat.org/ On Debian I am able to verify the chain of trust to irc.mozilla.org: bhourigan@miranda ~ % openssl s_client -connect irc.mozilla.org:6697 -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA verify return:1 depth=0 serialNumber = A7/cAN-TICcVTifiF1F5wuRPLpK75-AJ, C = US, ST = California, L = Mountain View, O = Mozilla Corporation, CN = irc.mozilla.org verify return:1 --- Certificate chain 0 s:/serialNumber=A7/cAN-TICcVTifiF1F5wuRPLpK75-AJ/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/CN=irc.mozilla.org i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA ---
|
Assignee | |
Comment 10•10 years ago
|
||
I don't believe this is a problem with our new IRC network, but if anyone is able to reproduce it, please re-open this bug.
Assignee: infra → dparsons
Status: REOPENED → RESOLVED
Closed: 11 years ago → 10 years ago
QA Contact: mzeier → dparsons
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•