2011-09-21: Updated SSL Certificates

[FiXato]

Updated SSL Certificates
It's that time of the year again: we're renewing the SSL certificates of our IRC servers. We choose to renew our certificates annually to make sure they stay fresh and use up to date encryptions.
A copy of this post has been uploaded to https://www.chat4all.org/ircd-certificates/index.html as well.

SSL? What do you mean?
Our IRC servers support connecting using SSL, Secure Socket Layer, an encryption layer that helps securing your conversations against eavesdropping. We currently support SSL when connecting via ports 6697 or 7001. With SSL all data between the sender and recipient is encrypted (as long as all parties support SSL) using a private key. If you and a friend are both connected using SSL for instance, private messages between you and him will be end-to-end encrypted.
For more details, please read our wiki page on SSL.

A new Certificate Authority
To have full control over our certificates, and to not be affected by the current turmoil caused by recent issues some root CAs have had, we've chosen to create our own Certificate Authority, and sign our certificates with it.
Our public CA can be downloaded from https://www.chat4all.org/ircd-certificates/chat4all-ca.pem.
You can verify the downloaded certificate's SHA1, SHA512 and/or MD5 sum with the following info:

Code:

SHA512 Sum: 4ad04a5ac6eb9e599403e1af99f38792a23ec9e90149ae744eb4088da14aded7cc0cbe0ffa63a9c33b9f63321ef3749f2193f0faa56233d0ded43890ea2c177b
  SHA1 Sum: eba68acdfd5ebfd896da5aaaa530cb7917b14138
   MD5 Sum: 5fa4b3f1193090ed00b3b324c5766e3e

Our public server certificate can be downloaded from https://www.chat4all.org/ircd-certificates/chat4all-server.pem.
You can verify the downloaded certificate's SHA1, SHA512 and/or MD5 sum with the following info:

Code:

Sha512 Sum: bc2964379f6529b91e9c8a2e988ffed9866643255b80047a732e0dd43aa9067b92552501ed782eb7fc2b11a90de1f11dc545c62378b2177ed2d9d4692734a669
  SHA1 Sum: a1c84444e3cbc890dab99b2df6b96554d2b52d5f
   MD5 Sum: f39bbf189c4affea9923835fce2cac5c

In general IRC clients will show something like this when connecting over SSL:

Code:

 subject `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=*.chat4all.org,EMAIL=jeroen@wierda.com',
  issuer `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=chat4all.org,EMAIL=jeroen@wierda.com',
  RSA key 4096 bits, signed using RSA-SHA,
  activated `2011-09-21 16:29:07 UTC',
  expires `2012-09-20 16:29:07 UTC',
  SHA-1 fingerprint `df9be0734c9590cb4d0a222b9c5d3c2dc75361d1'

You can verify this information as well by connecting to our IRC servers, and issuing /quote helpop ssl.

What does this mean for you?
Since our Certificate Authority (CA) isn't recognised by many clients (but then again, most clients don't verify against system CAs anyway), you'll either have to ignore the 'untrusted issuer/certificate' warning you might get, or you can import our CA and/or the server's certificate.

We have detailed instructions for a few common clients on our SSL Certificate Authority import instructions wiki page, for instance for mIRC, XChat, irssi and WeeChat.
If your IRC client isn't listed there, and you need help importing our Certificate Authority, please contact us in our #help channel.


Need more details?
For those who want to verify the IRC servers' certificates and CA even more, can help themselves to this information:

The details of the Certificate Authority Cert with which our certificates are signed are as follows:

Code:

issuer `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=chat4all.org,EMAIL=jeroen@wierda.com',
RSA key 4096 bits, signed using RSA-SHA,
Serial Number: e0:99:1d:9f:7d:a7:a8:1e
Validity:
  Not Before: Sep 21 16:27:49 2011 GMT
   Not After: Sep 20 16:27:49 2014 GMT
SHA512 Sum: 4ad04a5ac6eb9e599403e1af99f38792a23ec9e90149ae744eb4088da14aded7cc0cbe0ffa63a9c33b9f63321ef3749f2193f0faa56233d0ded43890ea2c177b
  SHA1 Sum: eba68acdfd5ebfd896da5aaaa530cb7917b14138
   MD5 Sum: 5fa4b3f1193090ed00b3b324c5766e3e

$ openssl x509 -sha1 -in chat4all-ca.pem -noout -fingerprint    
  SHA1 Fingerprint=78:6B:41:1E:40:16:17:85:51:45:D5:12:1B:AD:73:E8:89:FC:24:8E

The details of the Certificate used by the servers are:

Code:

subject `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=*.chat4all.org,EMAIL=jeroen@wierda.com',
RSA key 4096 bits, signed using RSA-SHA,
Serial Number: 12:4a:70:4f:1d:46
Validity:
 Not Before: Sep 21 16:29:07 2011 GMT
 Not After : Sep 20 16:29:07 2012 GMT

Sha512 Sum: bc2964379f6529b91e9c8a2e988ffed9866643255b80047a732e0dd43aa9067b92552501ed782eb7fc2b11a90de1f11dc545c62378b2177ed2d9d4692734a669
  SHA1 Sum: a1c84444e3cbc890dab99b2df6b96554d2b52d5f
   MD5 Sum: f39bbf189c4affea9923835fce2cac5c

$ openssl x509 -sha1 -in chat4all-server.pem -noout -fingerprint
  SHA1 Fingerprint=DF:9B:E0:73:4C:95:90:CB:4D:0A:22:2B:9C:5D:3C:2D:C7:53:61:D1