Package: xchat
Version: 2.8.8-7.3
Severity: normal
Tags: patch
Dear Maintainer,
when connecting to the irc.hackint.org server, xchat gives the following error,
even when "Accept invalid SSL certificate" has been selected in the network
properties:
* Connection failed. Error: certificate not trusted.? (27)
This only happens when this is the second or later connection opened by the
running xchat process. If irc.hackint.org is the first connection, it correctly
ignores the untrusted certificate:
* * Verify E: unable to get local issuer certificate.? (20) -- Ignored
This server uses a chain of intermediate CA certificates (not a self-signed
certificate), and the root CA is not trusted by openssl on my system. Since
"Accept invalid SSL certificate" has been selected, I believe xchat should
still allow me to connect to this server.
It appears that in this case, SSL_get_verify_result() returns 27
(X509_V_ERR_CERT_UNTRUSTED), which is not one of the return values that gets
ignored by the "Accept invalid SSL certificate" option. I don't know why the
return value is different for the first connection.
The attached patch adds X509_V_ERR_CERT_UNTRUSTED to the list of return values
that are ignored when the "Accept invalid SSL certificate" is selected.
Best regards
Tomaž
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.1+ (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xchat depends on:
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u1
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.20-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3+deb8u1
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u4
ii libglib2.0-0 2.42.1-1
ii libgtk2.0-0 2.24.25-3
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii libperl5.20 5.20.2-3+deb8u1
ii libsexy2 0.1.11-2.1
ii libssl1.0.0 1.0.1k-3+deb8u2
ii libx11-6 2:1.6.2-3
ii xchat-common 2.8.8-7.3
Versions of packages xchat recommends:
ii alsa-utils 1.0.28-1
ii libnotify-bin 0.7.6-2
ii libnotify4 0.7.6-2
ii libpython2.7 2.7.9-2
ii libtcl8.6 8.6.2+dfsg-2
ii xdg-utils 1.1.0~rc1+git20111210-7.4
ii zlib1g 1:1.2.8.dfsg-2+b1
xchat suggests no packages.
-- no debconf information
Index: xchat-2.8.8/src/common/server.c
===================================================================
--- xchat-2.8.8.orig/src/common/server.c 2015-12-28 19:51:11.018589143 +0100
+++ xchat-2.8.8/src/common/server.c 2015-12-28 19:51:56.541337114 +0100
@@ -722,6 +722,7 @@
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_CERT_UNTRUSTED:
if (serv->accept_invalid_cert)
{
snprintf (buf, sizeof (buf), "* Verify E: %s.? (%d) -- Ignored",
