Bug ID 1180646
Summary weechat gnutls fails to handshake with irc.freenode.net
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component Network
Assignee screening-team-bugs@suse.de
Reporter maciek.borzecki@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

I can no longer connect to irc.freenode.net:6697 using TLS. 

2021-01-07 09:44:18     --      irc: connecting to server
chat.freenode.net/6697 (SSL)...
2021-01-07 09:44:18     --      gnutls: connected using 2048-bit Diffie-Hellman
shared secret exchange
2021-01-07 09:44:18     --      gnutls: receiving 2 certificates
2021-01-07 09:44:18     --       - certificate[1] info:
2021-01-07 09:44:18     --         - subject `CN=cherryh.freenode.net', issuer
`CN=R3,O=Let's Encrypt,C=US', serial 0x036e974628cdb62f9573da5f2026d2d6f08d,
RSA key 4096 bits, signed using RSA-SHA256, activated `2020-12-21 04:36:36
UTC', expires `2021-03-21 04:36:36 UTC',
pin-sha256="L/oAJaKLkR6Xc+xTQ7hGlDy1bSKrBxhAe1XX5nEKhd8="
2021-01-07 09:44:18     --       - certificate[2] info:
2021-01-07 09:44:18     --         - subject `CN=R3,O=Let's Encrypt,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x400175048314a4c8218c84a90c16cddf, RSA key 2048 bits, signed using RSA-SHA256,
activated `2020-10-07 19:21:40 UTC', expires `2021-09-29 19:21:40 UTC',
pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
2021-01-07 09:44:18     =!=     gnutls: peer's certificate is NOT trusted
2021-01-07 09:44:18     =!=     gnutls: peer's certificate issuer is unknown
2021-01-07 09:44:18     =!=     irc: TLS handshake failed
2021-01-07 09:44:18     =!=     irc: error: Error in the certificate.


However, gnutls-cli verifies the host successfuly:

maciek@sloop:~ gnutls-cli irc.freenode.net:6697                                
                                                                               
                                             <<< 1 ���������
Processed 414 CA certificate(s).
Resolving 'irc.freenode.net:6697'...
Connecting to '38.229.70.22:6697'...
- Successfully sent 0 certificate(s) to server.
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=card.freenode.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial
0x03032b92fa80b713489a422d961becbf9683, RSA key 4096 bits, signed using
RSA-SHA256, activated `2020-12-21 05:48:33 UTC', expires `2021-03-21 05:48:33
UTC', pin-sha256="kK+ut4A5qoGqyxfORm/2KPeU2VoCvz5WGDdesWNtNVY="
        Public Key ID:
                sha1:53120e4f66b512f3f82597b1e0f0384e60a0a58d
               
sha256:90afaeb78039aa81aacb17ce466ff628f794d95a02bf3e5618375eb1636d3556
        Public Key PIN:
                pin-sha256:kK+ut4A5qoGqyxfORm/2KPeU2VoCvz5WGDdesWNtNVY=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital
Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048
bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires
`2021-09-29 19:21:40 UTC',
pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Status: The certificate is trusted. 
- Description:
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

:card.freenode.net NOTICE * :*** Looking up your hostname...
:card.freenode.net NOTICE * :*** Checking Ident
:card.freenode.net NOTICE * :*** No Ident response
:card.freenode.net NOTICE * :*** Found your hostname


Package versions:
gnutls-3.6.15-2.1.x86_64
libgnutls30-32bit-3.6.15-2.1.x86_64
libgnutls30-3.6.15-2.1.x86_64
libgnutls-dane0-3.6.15-2.1.x86_64
weechat-3.0-1.2.x86_64

You are receiving this mail because: