New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having to re-set the weechat.network.gnutls_ca_user env variable every single session. #1763
Comments
|
Hi, The option Can you just connect fine when you run WeeChat with default config? Anyway there's maybe a bug, could you please give the steps to reproduce the problem, starting with the default config and providing commands to cause the issue? Thanks. |
|
I did not realize that the option Starting from the default config:
Encounter cert issues:
It's starting to look like a bug to me. |
|
I can reproduce it with those steps. |
It's quite interesting that when WeeChat successfully reconnects to I wonder if there is a way to make it so that for servers without a valid certificate only, WeeChat will just go ahead and connect to it instead of attempting to verify again? I'd still prefer to keep my |
|
If the certificate is not valid, WeeChat is supposed to NEVER connect to it, unless you explicitly force the connection to bypass the certificate checking (with IRC options). If playing with option |
You're still using and encrypted TLS connection even though the certificate is not verified. The server has no way of knowing if you verified the certificate or not, so whois shows it as secure.
I assume you mean disable verification for specific servers, since just connecting to all servers without a valid certificate would be the same as just not doing any verification. There's a couple of options here:
|
…hanged (issue #1763) When changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the GnuTLS credentials are freed then allocated again, but the verification function used to check the certificate on connection is not set again. As a consequence, any TLS connection is made without checking the certificate. This regression was introduced in version 3.2, when the options were changed to automatically load system certificates without having to give the path, and to let user give an extra custom path with certificates.
Question
Everytime I start a session of Weechat and attempt to connect to a server, if the
weechat.network.gnutls_ca_userconfig option has already been set to anything, or even nothing at all, and even when it ihas been correctly set to"/etc/ssl/certs/ca-certificates.crt"from previous sessions, I always encounter certificate issues with gnutils and thus TLS handshake will fail, disallowing me from making a secure connection to any server (non-SSL connections still work, of course)However, if I then proceed to
/set weechat.network.gnutls_ca_userto something else, and then after that, set it to the correct value with/set weechat.network.gnutls_ca_user "/etc/ssl/certs/ca-certificates.crt", Weechat will handle SSL certificates and connect just fine like it is supposed to. But when I quit and the next time I start Weechat, the same issue shows up again, and then I have to manually set that configuration to something else wrong on purpose, then set it back right again, even when it is already correctly set from the get go!I have already tried to find a way to circumvent this issue by starting weechat with a new config
weechat --dir /tmp/weechat, and even there, the same issue happens after I quit and restart.Right now, my only option to get around this issue is to probably use a script that can
/set weechat.network.gnutls_ca_userto something different each time I quit the client, and then set the weechat client to run the correct/setcommand option on startup. Still though, I'd rather seek help to see why exactly my WeeChat is behaving this way.The text was updated successfully, but these errors were encountered: