Issue with Connection from OpenBSD

From: Francisco Fuentes Tue, 17 Nov 2020 07:29:02 +0000

Hi, 

I'm trying to reach you out guys because I'm trying to make your bouncer
and client work in my server. 


I use OpenBSD and I wanna make the users of my server (in the use of
tildes) type a simple command and reach the room in a IRC channel and
being able to do it through pounce to log the chat and make it
persistent and searchable using litterbox. 

My issue is that I created an unprivileged user to make the pounce connection
and after some work I managed to run it but I can't make any connections
due to TLS handshake errors. This is what I'm doing from both sides:

Pounce side:

 doas -u _pounce /bin/ksh -c  'pounce -C /home/_pounce/client1.pem -S
 localhost -K /home/_pounce/client1.pem -A /home/_pounce/.config/pounce/auth.pem
 -h irc.tilde.chat'

User side with catgirl (with a self signed certificate made with
argument -g):

catgirl -h localhost -c ~/cert.pem

The error is:

pounce: tls_handshake: handshake failed: error:1404A418:SSL
routines:ST_ACCEPT:tlsv1 alert unknown ca

---

So the idea is that it works in a simple way for every user from the
server. I guess the error is on the "pounce side".

Thanks in advance.

Re: Issue with Connection from OpenBSD

From: June Bug Tue, 24 Nov 2020 18:50:13 -0500

To: Francisco Fuentes

Cc: list+pounce

> On Nov 17, 2020, at 02:29, Francisco Fuentes <ffuentes@texto-plano.xyz> wrote:
> 
> Hi, 
> 
> I'm trying to reach you out guys because I'm trying to make your bouncer
> and client work in my server. 
> 
> 
> I use OpenBSD and I wanna make the users of my server (in the use of
> tildes) type a simple command and reach the room in a IRC channel and
> being able to do it through pounce to log the chat and make it
> persistent and searchable using litterbox. 
> 
> My issue is that I created an unprivileged user to make the pounce connection
> and after some work I managed to run it but I can't make any connections
> due to TLS handshake errors. This is what I'm doing from both sides:

First, since I’m not sure it’s clear, you’d really need to run one
instance of pounce per user for this to be usable.

> Pounce side:
> 
> doas -u _pounce /bin/ksh -c  'pounce -C /home/_pounce/client1.pem -S
> localhost -K /home/_pounce/client1.pem -A /home/_pounce/.config/pounce/auth.pem
> -h irc.tilde.chat'
> 
> User side with catgirl (with a self signed certificate made with
> argument -g):
> 
> catgirl -h localhost -c ~/cert.pem
> 
> The error is:
> 
> pounce: tls_handshake: handshake failed: error:1404A418:SSL
> routines:ST_ACCEPT:tlsv1 alert unknown ca

I’m not sure about this exact error, but in general catgirl wants
to be able to verify the certificate of the server it’s connecting
to. You can try the (intentionally undocumented) --insecure option
to disable verification. I think ideally catgirl would have a way
to explicitly trust the server certificate you’re expecting, but
last time I tried implementing that I couldn’t get it to work.