Author Topic: 2012-09-20: Updated SSL Certificates  (Read 19083 times)

Offline FiXato

  • Co-Net-Administrator of Chat4All IRC Network
  • Administrator
  • Hero Member
  • *****
  • Posts: 1407
  • Dutch Developer in between countries and jobs
    • FiXato.co.uk
2012-09-20: Updated SSL Certificates
« on: September 21, 2011, 09:25:33 PM »
Updated SSL Certificates
It's that time of the year again: we're renewing the SSL certificates of our IRC servers. We choose to renew our certificates annually to make sure they stay fresh and use up to date encryptions.
A copy of this post has been uploaded to https://www.chat4all.org/ircd-certificates/index.html as well.

SSL? What do you mean?
Our IRC servers support connecting using SSL, Secure Socket Layer, an encryption layer that helps securing your conversations against eavesdropping. We currently support SSL when connecting via ports 6697 or 7001. With SSL all data between the sender and recipient is encrypted (as long as all parties support SSL) using a private key. If you and a friend are both connected using SSL for instance, private messages between you and him will be end-to-end encrypted.
For more details, please read our wiki page on SSL.

A new Certificate Authority
To have full control over our certificates, and to not be affected by the current turmoil caused by recent issues some root CAs have had, we've chosen to create our own Certificate Authority, and sign our certificates with it.
Our public CA can be downloaded from https://www.chat4all.org/ircd-certificates/chat4all-ca.pem.
You can verify the downloaded certificate's SHA1, SHA512 and/or MD5 sum with the following info:
Code: [Select]
SHA512 Sum: 4ad04a5ac6eb9e599403e1af99f38792a23ec9e90149ae744eb4088da14aded7cc0cbe0ffa63a9c33b9f63321ef3749f2193f0faa56233d0ded43890ea2c177b
  SHA1 Sum: eba68acdfd5ebfd896da5aaaa530cb7917b14138
   MD5 Sum: 5fa4b3f1193090ed00b3b324c5766e3e

Our public server certificate can be downloaded from https://www.chat4all.org/ircd-certificates/chat4all-server.pem.
You can verify the downloaded certificate's SHA1, SHA512 and/or MD5 sum with the following info:
Code: [Select]
SHA256 Sum: 023fbe0b8b78a56ed8c283a7f6c27dd338a17bdb9a48f66474adaa1adc52c4dc8df6d0ec972c2563e822c70efac4c5fce76d6f229d30a4b2e29b2613af73e7a9
  SHA1 Sum: f66fd2f647e7b107dddeb074ab042bb635cdf17f
   MD5 Sum: 6e095d7a2a253354bff31cdd586b52fa

In general IRC clients will show something like this when connecting over SSL:
Code: [Select]
 subject `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=*.chat4all.org,EMAIL=jeroen@wierda.com',
  issuer `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=chat4all.org,EMAIL=jeroen@wierda.com',
  RSA key 4096 bits, signed using RSA-SHA,
  activated `2011-09-21 16:29:07 UTC',
  expires `2012-09-20 16:29:07 UTC',
  SHA-1 fingerprint `df9be0734c9590cb4d0a222b9c5d3c2dc75361d1'

You can verify this information as well by connecting to our IRC servers, and issuing /quote helpop ssl.

What does this mean for you?
Since our Certificate Authority (CA) isn't recognised by many clients (but then again, most clients don't verify against system CAs anyway), you'll either have to ignore the 'untrusted issuer/certificate' warning you might get, or you can import our CA and/or the server's certificate.

We have detailed instructions for a few common clients on our SSL Certificate Authority import instructions wiki page, for instance for mIRC, XChat, irssi and WeeChat.
If your IRC client isn't listed there, and you need help importing our Certificate Authority, please contact us in our #help channel.


Need more details?
For those who want to verify the IRC servers' certificates and CA even more, can help themselves to this information:

The details of the Certificate Authority Cert with which our certificates are signed are as follows:
Code: [Select]
issuer `C=NL,ST=Noord-Brabant,L=Den Bosch,O=Chat4All,OU=Chat4All IRC,CN=chat4all.org,EMAIL=jeroen@wierda.com',
RSA key 4096 bits, signed using RSA-SHA,
Serial Number: e0:99:1d:9f:7d:a7:a8:1e
Validity:
  Not Before: Sep 21 16:27:49 2011 GMT
   Not After: Sep 20 16:27:49 2014 GMT
SHA512 Sum: 4ad04a5ac6eb9e599403e1af99f38792a23ec9e90149ae744eb4088da14aded7cc0cbe0ffa63a9c33b9f63321ef3749f2193f0faa56233d0ded43890ea2c177b
  SHA1 Sum: eba68acdfd5ebfd896da5aaaa530cb7917b14138
   MD5 Sum: 5fa4b3f1193090ed00b3b324c5766e3e

$ openssl x509 -sha1 -in chat4all-ca.pem -noout -fingerprint    
  SHA1 Fingerprint=78:6B:41:1E:40:16:17:85:51:45:D5:12:1B:AD:73:E8:89:FC:24:8E

The details of the Certificate used by the servers are:
Code: [Select]
Subject: C=NL, ST=Noord-Brabant, L=Den Bosch, O=Chat4All, OU=Chat4All IRC, CN=*.chat4all.org/emailAddress=jeroen@wierda.com
        Validity
            Not Before: Sep 20 20:00:41 2012 GMT
            Not After : Sep 20 20:00:41 2013 GMT
        Serial Number:
            12:4c:c4:4c:4f:f0
SHA256: 023fbe0b8b78a56ed8c283a7f6c27dd338a17bdb9a48f66474adaa1adc52c4dc8df6d0ec972c2563e822c70efac4c5fce76d6f229d30a4b2e29b2613af73e7a9
SHA1:   f66fd2f647e7b107dddeb074ab042bb635cdf17f
MD5:    6e095d7a2a253354bff31cdd586b52fa

$ openssl x509 -sha1 -in server.cert.pem -noout -fingerprint
SHA1 Fingerprint=3D:C4:1C:41:D0:AE:2E:F9:93:63:E3:19:69:DD:38:41:0B:52:C7:4C
« Last Edit: September 21, 2012, 02:49:07 PM by FiXato »

Offline FiXato

  • Co-Net-Administrator of Chat4All IRC Network
  • Administrator
  • Hero Member
  • *****
  • Posts: 1407
  • Dutch Developer in between countries and jobs
    • FiXato.co.uk
Re: 2012-09-20: Updated SSL Certificates
« Reply #1 on: September 21, 2012, 03:57:10 AM »
Today the certs were updated again for another year. If you've accepted our Certificate Authority cert in the past, you should encounter no issues. If you only accepted our server certificate, you might need to import the new one from above mentioned url.