Package: irssi
Version: 1.4.3-2
Severity: normal
Tags: upstream
X-Debbugs-Cc: debbug.ir...@sideload.33mail.com
Apparently it is impossible for an IRSSI user to perform pubkey
authentication if they also load the server_time.pl IRSSI
script. The raw log looks like this:
===8<----------------------------------------
<< CAP LS 302
<< JOIN :
>> :palladium.libera.chat NOTICE * :*** Ident disabled, not checking ident
>> :palladium.libera.chat NOTICE * :*** Looking up your hostname...
>> :palladium.libera.chat NOTICE * :*** Couldn't look up your hostname
>> :palladium.libera.chat CAP * LS :account-notify away-notify chghost
>> extended-join multi-prefix
>> sasl=ECDSA-NIST256P-CHALLENGE,EXTERNAL,PLAIN,SCRAM-SHA-512 tls account-tag
>> cap-notify echo-message server-time solanum.chat/identify-msg
>> solanum.chat/oper solanum.chat/realhost
<< CAP REQ :sasl multi-prefix extended-join away-notify chghost account-notify
server-time
<< CAP REQ :server-time
>> :palladium.libera.chat 451 * :You have not registered
>> :palladium.libera.chat CAP * ACK :sasl multi-prefix extended-join
>> away-notify chghost account-notify server-time
<< AUTHENTICATE EXTERNAL
>> :palladium.libera.chat CAP * ACK :server-time
<< CAP END
===8<----------------------------------------
Notice the JOIN message. That has no business here. It creates noise
and a 451 warning message. It’s a red herring and is not the cause of
the underlying problems. Nonetheless, it’s a defect. We will call this
sub bug 1.
Packet capture shows that the raw log generated by IRSSI is incomplete
(call this sub bug 2). In reality the server replies with
“AUTHENTICATE +” but IRSSI sends “CAP END” before registration is
complete. This causes the libera server to signal that SASL
authentication failed, which is also missing from the raw log. IRSSI
gives up and sends an RST packet. But then strangely IRSSI reports
"connection lost", as if the connection were dropped by an external
actor. I will label that sub bug 3.
This is the output in the IRSSI status window:
===8<----------------------------------------
[torlibera] -!- Irssi: Looking up 127.0.0.1
[torlibera] -!- Irssi: Connecting to 127.0.0.1 [127.0.0.1] port 16001
[torlibera] -!- Irssi: Certificate Chain:
[torlibera] -!- Irssi: Subject: CN: palladium.libera.chat
[torlibera] -!- Irssi: Issuer: C: US, O: Let's Encrypt, CN: R10
[torlibera] -!- Irssi: Subject: C: US, O: Let's Encrypt, CN: R10
[torlibera] -!- Irssi: Issuer: C: US, O: Internet Security Research Group,
CN: ISRG Root X1
[torlibera] -!- Irssi: Protocol: TLSv1.3 (256 bit, TLS_AES_256_GCM_SHA384)
[torlibera] -!- Irssi: EDH Key: 253 bit Unknown
[torlibera] -!- Irssi: Public Key: 4096 bit RSA, valid from Feb 10 05:20:04
2025 GMT to May 11 05:20:03 2025 GMT
[torlibera] -!- Irssi: Public Key Fingerprint:
01:33:EE:35:80:B0:BB:7C:61:8D:56:9D:1B:98:69:14:F3:78:EB:D3:7A:3F:61:8F:C8:9F:AA:34:CF:DD:1E:62
(SHA256)
[torlibera] -!- Irssi: Certificate Fingerprint:
E6:5E:B7:CC:2D:3F:EA:53:58:88:2E:F5:1B:1B:E5:F4:B5:56:67:9C:E1:6F:85:FE:27:94:5C:10:89:22:E0:8F
(SHA256)
[torlibera] Waiting for CAP LS response...
[torlibera] -!- Irssi: Connection to 127.0.0.1 established
[torlibera] !palladium.libera.chat *** Ident disabled, not checking ident
[torlibera] !palladium.libera.chat *** Looking up your hostname...
[torlibera] !palladium.libera.chat *** Couldn't look up your hostname
[torlibera] -!- Capabilities requested: sasl multi-prefix extended-join
away-notify chghost account-notify server-time
[torlibera] -!- Capabilities supported: account-notify away-notify chghost
extended-join multi-prefix
sasl=ECDSA-NIST256P-CHALLENGE,EXTERNAL,PLAIN,SCRAM-SHA-512 tls account-tag
cap-notify echo-message server-time
solanum.chat/identify-msg solanum.chat/oper solanum.chat/realhost
[torlibera] -!- Capabilities acknowledged: sasl multi-prefix extended-join
away-notify chghost account-notify server-time
[torlibera] -!- Capabilities acknowledged: server-time
-!- Irssi: Connection lost to 127.0.0.1
===8<----------------------------------------
To reproduce that, this is the relevant config stanza:
===8<----------------------------------------
torlibera = {
type = "IRC";
nick = "manny";
username = "manny";
realname = "manny";
sasl_mechanism = "external";
};
…
{
address = "127.0.0.1";
chatnet = "torlibera";
port = "16001";
use_tls = "yes";
tls_cert = "~/certs/libera.pem";
tls_verify = "no";
tls_pinned_pubkey =
"01:33:EE:35:80:B0:BB:7C:61:8D:56:9D:1B:98:69:14:F3:78:EB:D3:7A:3F:61:8F:C8:9F:AA:34:CF:DD:1E:62";
}
===8<----------------------------------------
It’s a tor session and IRSSI does not support proxies, so this is the
wrapper script is used:
===8<----------------------------------------
$ socat -T9999999 -s TCP4-LISTEN:16001,ignoreeof
SOCKS4A:127.0.0.1:libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion:6697,socksport=9050,ignoreeof
&
$ socat_pid=$!
$ irssi
$ kill ${socat_pid}
===8<----------------------------------------
NickServ on Libera is configured for the user’s pubkey fingerprint.
In the raw log there are two consecutive “CAP REQ”s sent. The 2nd
one is redundant and it’s caused by the mere presence of this file:
~/.irssi/scripts/server_time.pl
I’ll tag that as sub bug 4. That file was installed in order to obtain
correct message timestamps from ZNC-served connections.
The CAP REQ redundancy somehow causes IRSSI to botch the CAP
negotiation and mishandle the “AUTHENTICATE +” signal and send a
premature CAP END which destroys the handshake. Calling this sub bug
5.
There are 5 bugs here:
① JOIN is strangely and needlessly sent after REQ LS
② raw log is incomplete and withholds 2 server messages
③ IRSSI reports “connection lost” but it was IRSSI that killed it
④ the server_time.pl script sends a redundant CAP REQ command
⑤ IRSSI fumbles the “AUTHENTICATE +” signal → premature CAP END
* Workaround *
The workaround is to remove ~/.irssi/scripts/server_time.pl. I stress
workaround because although connectivity is possible by removing that
file, it merely hides bugs 2—5.
-- System Information:
Debian Release: 12.10
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages irssi depends on:
ii libc6 2.36-9+deb12u10
ii libglib2.0-0 2.74.6-2+deb12u5
ii libperl5.36 5.36.0-7+deb12u1
ii libssl3 3.0.15-1~deb12u1
ii libtinfo6 6.4-4
ii perl 5.36.0-7+deb12u1
ii perl-base [perlapi-5.36.0] 5.36.0-7+deb12u1
irssi recommends no packages.
Versions of packages irssi suggests:
ii irssi-scripts 20220704
-- no debconf information
