what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WeeChat Invalid Certificate Check

WeeChat Invalid Certificate Check
Posted Feb 28, 2011
Authored by JD

WeeChat suffers from an invalid certificate verification vulnerability.

tags | advisory, bypass
SHA-256 | b244384a98f92322c920ae9a0922ecf9ded2df274ee6fe2b1625224736dcb748

WeeChat Invalid Certificate Check

Change Mirror Download
About WeeChat:
"WeeChat is a fast, light and extensible chat client. It runs on many
platforms (including Linux, BSD and Mac OS).
Development is very active, and bug fixes are very fast!"

The vuln:
Weechat does not use the GnuTLS API properly to check certificates,
potentially exposing users to man-in-the-middle attacks.

Weechat registers a callback function to be called by GnuTLS during
the TLS/SSL handshake. The function perform checks on the server
certificate and optionally, send a client certificate.
The mentioned code is located in src/core/wee-network.c in the
network_init function:

gnutls_certificate_client_set_retrieve_function (gnutls_xcred,


Excerpt from gnutls's doc:

gnutls_certificate_client_set_retrieve_function sets a callback to
be called in order to retrieve the certificate to be used in the
If the callback function is provided then gnutls will call it, in
the handshake, after the certificate request message has been

This callback function will only be called when the server ask for a
client certificate during the handshake, but weechat also use this
to check the server certificate.

As specified in the rfc2246 at 7.4.6., the certificate request is optionnal:

7.4.6. Client certificate

When this message will be sent:
This is the first message the client can send after receiving a
server hello done message. This message is only sent if the
server requests a certificate.

So when the server does not request a client certificate,
hook_connect_gnutls_set_certificates is never called and weechat does
perform any check on the server certificate. It doesn't print any of
the usual information about the dh key size and the content
of the server certificate either.


$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ openssl dhparam -outform PEM -out dhparam.pem 4096
$ openssl s_server -cert server.crt -key server.key -dhparam
dhparam.pem -accept 6697 &>./log &
$ weechat-curses ircs:// # will not check the certificate
$ fg
$ openssl s_server -cert server.crt -key server.key -dhparam
dhparam.pem -accept 6697 -verify yes &>./log2 &
$ weechat-curses ircs:// # will print an error because
the certificate is self signed

This problem affects all versions. The maintainer has been contacted
and a fix should be published. someday...
A "beta" fix is availaible here: http://savannah.nongnu.org/patch/index.php?7459


Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By