tls handshake failure

[ralphee]

22:58 =!= gnutls: peer's certificate is NOT trusted
22:58 =!= gnutls: peer's certificate issuer is unknown
22:58 =!= irc: TLS handshake failed
22:58 =!= irc: error: Error in the certificate.

[weechatter]

Check your certificate. You can try: /set irc.server..ssl_verify off

Better /join #weechat channel

[flashcode]

Hi,

This is not a bug, but the expected behavior.

When the certificate is not trusted (in your case the issuer is unknown), WeeChat refuses to connect.
Either check why the issuer is unknown, or if you really trust the certificate anyway, you can set the option irc.server.xxx.ssl_fingerprint (or even irc.server.xxx.ssl_verify off but this disables all checks).

[ralphee]

@flashcode https://www.archlinux.org/news/ca-certificates-utils-20170307-1-upgrade-requires-manual-intervention/

ever since upgrade weechat has the handshake issue....

[flashcode]

Then please check that the option weechat.network.gnutls_ca_file points to the file with all certificates on your distribution.

[ralphee]

@flashcode https://i.imgur.com/APN7shK.png

changed path to /etc/ca-certificates/extracted/ca-bundle.trust.crt

and still get the handshake error

[flashcode]

Are you sure this is the good file to use with this option?
Anyway as I said it's not a WeeChat issue, but a problem with the certificates installed on your machine.

[flashcode]

So I can close this issue?

[ralphee]

@flashcode Yeah pls close... Thxs everyone for the feedback!!

[dust321]

I have the same issue in Arch and FreeBSD 11.4, guess this hasn't been fixed?

[weechatter]

As already said, its not a weechat issue but a problem with the certificates installed on your machine.

[HomingHamster]

I'm seeing this despite setting ssl_verify off

[flashcode]

@HomingHamster : with ssl_verify set to off, you shouldn't see any certificate error.
Are you sure you disabled it on the appropriate IRC server?

[ghost]

So, for Linux distros, there is a ca-certificates package that is usually installed by default. It installs certs (for Debian at least) to /etc/ssl/certs. You can do a sudo find / -name ca-certificates.conf and look at the top level comments to see where the cacerts are precisely installed on your machine.

If you take a look in the directory where the certs are installed (e.g., /etc/ssl/certs), there is a file called ca-certificates.crt. You want to add that file so Weechat knows about it.

You can do this by setting an environment variable as @flashcode mentioned earlier:

/set  weechat.network.gnutls_ca_file "/etc/ssl/certs/ca-certificates.crt"

Turn SSL verification back on if you disabled it.

NOTE: A little more work is required for FreeBSD users. See https://freenode.net/kb/answer/chat.

[eklitzke]

FYI I ran into this bug when I copied my weechat configs from a Centos host to a Debian host, and wanted to share what I found in case anyone else runs into this issue from Googling (as I did). On Centos my weechat.conf had:

gnutls_ca_file = "/etc/pki/tls/certs/ca-bundle.crt"

This is correct on Centos/Fedora, but not right on Debian. In fact, the default value for gnutls_ca_file in the weechat source code is the correct value on Debian: /etc/ssl/certs/ca-certificates.crt. Just unsetting the value will restore it to the correct default value, or you can manually set it as explained in the comment above.

[weechatter]

Its not a bug, its a warning ;-)
and its highly recommended to not edit conf files manually and not needed.

This is lot easier:
/set weechat.network.gnutls_ca_file "/etc/ssl/certs/ca-certificates.crt"
or
/set weechat.network.gnutls_ca_file "/etc/pki/tls/certs/ca-bundle.crt"

[acorello]

I had the same problem on openSUSE. The documentation of the distribution advises NOT to use paths in the application. Such paths can change from distribution to distribution. In fact my configuration was working on Void Linux and failed on openSUSE.

This is what I found in one of the files.

# Use of this file is deprecated and should only be used as last
# resort by applications that do not support p11-kit or reading /etc/ssl/certs.
# You should avoid hardcoding any paths in applications anyways though. Use
# functions that know the operating system defaults instead:
#
# - openssl: SSL_CTX_set_default_verify_paths()
# - gnutls: gnutls_certificate_set_x509_system_trust(cred)

So it seems weechat configuration could be made to work on any distribution by calling to the gnutls helper function?

@weechatter do you know if this has been considered?

[flashcode]

@protoboolean: interesting, I'll make tests with this GnuTLS function and use it if it works fine.

So we could have this behavior:

• Remove the CMake/configure option CA_FILE.
• Always load system certificates on startup.
• Use the existing option weechat.network.gnutls_ca_file to add extra user certificates if needed. Change the default value of option to empty string (no extra certificate loaded).

[flashcode]

Changes actually made:

• New boolean option weechat.network.gnutls_ca_system.
• Option weechat.network.gnutls_ca_file renamed to weechat.network.gnutls_ca_user, multiple files allowed (separated by colons).
• Build option CA_FILE removed.
• Certificates are purged and reloaded when options are changed.

[guodong000]

On macOS:
If openssl install by homebrew
Just /set weechat.network.gnutls_ca_user "/usr/local/etc/openssl/cert.pem"

[comradekingu]

@flashcode https://weechat.org/files/doc/devel/weechat_faq.en.html#irc_ssl_connection still points to _file

[flashcode]

@comradekingu: yes, this is for WeeChat ≤ 3.1, as mentioned in the sentence above.
And with WeeChat ≥ 3.2, nothing needed, it's automatic.

This must be removed eventually, perhaps it's time to do it.