[SSL ERROR]: too large

If you hit any installation issues or cannot connect to your freshly installed UnrealIRCd then this forum is for you.

Moderator: Supporters

Locked
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

[SSL ERROR]: too large

Post by Slyde »

I just got Unreal up and running. However, when I try the SSL connection, I get the following error:

Code: Select all

[SSL ERROR]: too large
[SOCKET ERROR]: Secure Socket Layer error
This is a new server and it came with openssl pre-installed. Through the limited information I cld find on this, it points to being a server-side issue and is also probably unrelated to Unreal. But, since Unreal is all I'm using this server for, I was wondering if someone here might know what I can do to get SSL work for Unreal?

Here's a paste to a connection attempt.

Any help with this wld be so cool. Thanks.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [SSL ERROR]: too large

Post by Syzop »

Code: Select all

[21:07:57] There are 1 users and 1 invisible on 1 servers
[21:07:57] [SSL ERROR]: too large
[21:07:57] [SOCKET ERROR]: Secure Socket Layer error
[21:07:57] Connection terminated
I've never seen this before: it gives this error half-way through the LUSERS info? Odd..

Did you say it depends on the client software that is used? Have you tried a couple of different client brands and is it consistently only with one client brand?
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

Re: [SSL ERROR]: too large

Post by Slyde »

I got in with hexchat via ssl. But weechat, bitchx and kvirc all give errors. Man, I need help on this big time. Been at it for two now. Wiping the drive, reinstalling the OS and software...all for a 20 minute set up routine. I was getting same thing on Inspircd. So I tried your Unreal. This is a nightmare! What can I do to help you help me?

In addition, a friend of mine just used Mibbet and irccloud and got on @ 6697. So some clients are accepting whatever's going on here, but the major clients like bitchx and weechat arent.
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

Re: [SSL ERROR]: too large

Post by Slyde »

This is interesting. I just ran namp and port 6697 isn't even in use. Yet people are getting a secure connection on it.

Code: Select all

root@xtremeirc:~# nmap -sT -O localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-04 12:12 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
6667/tcp open  irc
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.11
Network Distance: 0 hops

Code: Select all

 [irc.xtremeirc.net]: *** Client connecting: irccloud ([email protected]) [192.184.10.118] {clients} [secure ECDHE-RSA-AES256-GCM-SHA384]

Code: Select all

[irc.xtremeirc.net]: *** Client connecting: mibbit ([email protected]) [1x1.129.202.38] {clients} [secure ECDHE-RSA-AES256-SHA]

Code: Select all

[irc.xtremeirc.net]: *** Client connecting: ghost_ ([email protected]) [000.000.208.3] {clients} [secure ECDHE-RSA-AES256-GCM-SHA384]
That's three connections that used port 6697 and made it in via SSL. I don't understand. I mean, I just now used hexchat again and connected to port 6697 and I can see where I indeed connected and have a secure line. But running nmap again shows nothing's happening with that port.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [SSL ERROR]: too large

Post by Syzop »

By default nmap does not scan all ports (1-65535), only the "most common ports", the "Not shown: 996 closed ports" is a small hint with regards to that. You have to use -p <portrange(s)> and then you'll see the port is open.
Anyway, off-topic. Let's get back to your issue:
I got in with hexchat via ssl. But weechat, bitchx and kvirc all give errors. Man, I need help on this big time. Been at it for two now. Wiping the drive, reinstalling the OS and software...all for a 20 minute set up routine. I was getting same thing on Inspircd. So I tried your Unreal. This is a nightmare! What can I do to help you help me?

In addition, a friend of mine just used Mibbet and irccloud and got on @ 6697. So some clients are accepting whatever's going on here, but the major clients like bitchx and weechat arent.
Can you connect with those clients to other servers? In particular irc.unrealircd.org (6697 as usual)

1. What is your UnrealIRCd version?
2. What is your OpenSSL version? Preferably the OpenSSL version it shows at "./unrealircd start" (you can do that without restarting your servers, if it's already running it will simply spit out address already in use errors and not start).
3. What OS are you using? (eg: for Linux 'lsb_release -av')
4. Did you set anything in your set::ssl block? (Just checking, as using custom settings for ciphers and things like that can easily screw up clients).
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

Re: [SSL ERROR]: too large

Post by Slyde »

Can you connect with those clients to other servers? In particular irc.unrealircd.org (6697 as usual)
Yes. So I'm beginning to think my self-signed certificate is the problem. But damn! Wasn't ever like that before.
1. What is your UnrealIRCd version?
4.2.1
2.What is your OpenSSL version?
OpenSSL 1.0.1t
3. What OS are you using?
I've been trying to setup on Deb 9, but just did a fresh install of Deb 8.
4. Did you set anything in your set::ssl block?
I didn't.

*********************************************************************************
This is what it looks like when i start the ircd:

Code: Select all

Loading IRCd configuration..
Configuration loaded without any problems.
Loading tunefile..
Initializing SSL..
Dynamic configuration initialized.. booting IRCd.
UnrealIRCd is now listening on the following addresses/ports:
IPv4: 127.0.0.1:6900(SSL), *:6697(SSL), *:6667
IPv6: 2a06:3d81:7:b:c:d:e:f:7005(SSL), *:6697(SSL), *:6667
UnrealIRCd started.
ircd@xtremeirc:~/unrealircd$
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [SSL ERROR]: too large

Post by Syzop »

Thanks for the version numbers. Nothing out of the ordinary there. A configuration used by many people, Debian 9 in particular.
I'm beginning to think my self-signed certificate is the problem. But damn! Wasn't ever like that before.
It is true that clients are becoming more strict with regards to self-signed certificates, yes. But I would say that would not explain a disconnect half-way through LUSERS, it should have disconnected in the SSL handshake phase (before you even see any IRC stuff), so that is what spotted my attention. Also, I would expect the client to print out an error regarding the certificate then, which it didn't in your (first) paste.

You also said "weechat, bitchx and kvirc all give errors", but what errors are they giving?

If you are ok with it, you could post the IP of the server here so people can try to connect, see what happens.
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

Re: [SSL ERROR]: too large

Post by Slyde »

You also said "weechat, bitchx and kvirc all give errors", but what errors are they giving?
From weechat:

Code: Select all

|06:18:02 xtremessl =!= | gnutls: the hostname in the certificate
│                       | does NOT match "irc.xtremeirc.net"
│06:18:02 xtremessl =!= | gnutls: peer's certificate is NOT trusted
│06:18:02 xtremessl =!= | gnutls: peer's certificate issuer is
                        | unknown
│06:18:02 xtremessl =!= | irc: TLS handshake failed
│06:18:02 xtremessl =!= | irc: error: Error in the certificate.
From KVirc:

Code: Select all

[SSL ERROR]: too large
[SOCKET ERROR]: Secure Socket Layer error
If you are ok with it, you could post the IP of the server here so people can try to connect, see what happens.
Not a problem.

irc.xtremeirc.net:6697
185.198.56.140:6697
2a06:3d81:7:b:c:d:e:f +6697


I just reinstalled the server OS again, Debian 9. This is what I put on it:

Code: Select all

apt install g++ tcl tcl-dev pkg-config postfix apache2 alpine cmake make build-essential openssl libcurl4-openssl-dev zlib1g zlib1g-dev zlibc libgcrypt11-dev libssl-dev libgnutls-openssl-dev
Am I missing something that cld be causing this problem?
Last edited by Slyde on Sun Jan 06, 2019 2:40 pm, edited 1 time in total.
HeXiLeD
Posts: 51
Joined: Mon Jan 16, 2017 8:07 pm
Location: online

Re: [SSL ERROR]: too large

Post by HeXiLeD »

There is nothing wrong with the server and ssl/tls on the server side.

This is pure pebcak client side.
Sometimes related to what the client is capable of handling in regards to cyphers used in effect by the server.

If the server specifies only a few cyphers to use and or a specific ssl or tls version to be in effect and the client is not able to handle it or has support for it, it will not connect.

I've connected with crappy clients.

Test it:

Code: Select all

openssl s_client -connect localhost:6697
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We are not in the 90's IRC world anymore.
CertFP: d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [SSL ERROR]: too large

Post by Syzop »

Unfortunately I'll be gone for the day now, but just a quick post:
|06:18:02 xtremessl =!= | gnutls: the hostname in the certificate
│ | does NOT match "irc.xtremeirc.net"
│06:18:02 xtremessl =!= | gnutls: peer's certificate is NOT trusted
│06:18:02 xtremessl =!= | gnutls: peer's certificate issuer is
| unknown
│06:18:02 xtremessl =!= | irc: TLS handshake failed
│06:18:02 xtremessl =!= | irc: error: Error in the certificate.
What you post from weechat is indeed because the certificate being self signed. That can only be fixed by using a real certificate, with the correct name, etc. or by configuring your client to ignore such things. Naturally the first is preferred over the latter ;).

The kvirc error I do not know at this point.. I guess that was the original client you were referring to.

The server on irc.unrealircd.org uses more strict ciphers than standard, so it would be odd if you can connect to irc.unrealircd.org with kvirc but not to your own server. Then perhaps it too is related to the certificate, if so then the error should be more clear IMO :D. I would have tested with kvirc myself but I saw your message too late, got to go now.
HeXiLeD
Posts: 51
Joined: Mon Jan 16, 2017 8:07 pm
Location: online

Re: [SSL ERROR]: too large

Post by HeXiLeD »

Test also

Code: Select all

# nmap --script ssl-enum-ciphers -p6697 localhost
As for weechat:

Code: Select all

irc.server.netname.ssl_verify = off
irc.server.netname.ssl_priorities = NORMAL:-VERS-SSL3.0
SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2 or SECURE256:-VERS-TLS-ALL:+VERS-TLS1.3 might be too high for your setup.

Again, client side pebcak.
I actually use these and related methods to prevent bot connections and irc clients that are pure garbage.
If a client cannot deal with a specific cypher, it will never connect

You can also specify which cyphers to use on the server.
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We are not in the 90's IRC world anymore.
CertFP: d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

Re: [SSL ERROR]: too large

Post by Slyde »

Syzop & HeXiLeD: I appreciate your time and feedback. I'll get a wildcard cert and go from there. I think that's my best option, at this point. Again, thank you both for your guidance.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [SSL ERROR]: too large

Post by Syzop »

HeXiLeD, his problem is not due to TLS versions or ciphers as he said before he can connect fine to irc.unrealircd.org, which only permits TLSv1.2 and PFS ciphersuites at the moment. Saying his new wildcard cert would not help anything is incorrect too, as the weechat error he pasted was due to the self-signed certificate (well, and the hostname being incorrect).

MOD EDIT: I have deleted the posts from two users that did not help this user further and turned this into some kind of war thread :D
Slyde
Posts: 7
Joined: Fri Jan 04, 2019 4:17 am

Re: [SSL ERROR]: too large

Post by Slyde »

With Unreal 4.2.1 up and running, I saw yesterday where someone SSL connected with KVirc 4.9.3, same version as I use. They were there almost 10 minutes. But no matter how I switch the three setting on KVirc for SSL, I can't get it to work. No big deal. What's a big deal to me at this point is not being able to use BitchX or weechat. And while I'm sure everyone wld be able to connect using either of them, I can't. No one has a problem connecting except me. AND I HATE HEXCHAT! But that's all I seem to be able to use with SSL.

So, I see this no longer as an Unreal issue and will close this. It's evident that the problem's local to me. I appreciate your help, Syzop. There are a few things abt Unreal that I don't understand, but I'll open new tickets for them.

Thanks.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: [SSL ERROR]: too large

Post by Syzop »

Glad to hear. And I'm probably the KVirc user you are referring to. I connected with the kvirc 4.9.3 package installed on Ubuntu 18.04, nothing special configured, just /server -s irc.xtremeirc.net 6697 from a brand new installation and indeed it worked. I disconnected myself after some time.

One small thing: with SSL/TLS and verifying certificates (if this is enabled, as is the default on some clients), there's a difference between connecting to irc.example.net and connecting to 1.2.3.4 (or 127.0.0.1). The latter will always fail standard certificate validation since it tries to validate the name, which it cannot do if you connect by IP address. So, just a small thing to consider.

Also, important: I think your kvirc problem may be entirely different (not to mention strange) than the problems you had with those other clients (which is about certificate validation).

UPDATE:
One last thing to add: I also tested with kvirc 4.9.3 connecting to UnrealIRCd on localhost on a SSL/TLS port. This worked fine for me, no strange connection reset like you had in your initial post. Also tried with an extra large motd. Nothing.

Anyway, like you said, this sounds more like a client issue than something with UnrealIRCd.

I'll close this thread since as you said you'll bring it up when you have something new and to discourage the other 2 users fighting here that are not helping you with the actual problem at hand.
Locked