[irc/freenode/web-7.0.git] / content / kb / connect / chat.md

Title: Connecting to freenode
Slug: chat
---

The freenode network can be accessed via the [freenode
webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat,
ERC, HexChat, Smuxi, Quassel or mIRC.

You can connect to freenode by pointing your IRC client at `chat.freenode.net`
on ports 6665-6667 and 8000-8002.

## Accessing freenode Via SSL

freenode provides SSL client access on all servers, on ports 6697, 7000 and
7070. Users connecting over SSL will be given user mode +Z, and _is using a
secure connection_ will appear in WHOIS (a 671 numeric). Webchat users will not
currently appear with +Z or the 671 numeric, even if they connect to webchat
via SSL.

In order to verify the server certificates on connection, some additional work
may be required. First, ensure that your system has an up-to-date set of root
CA certificates. On most linux distributions this will be in a package named
something like ca-certificates. Many systems install these by default, but some
(such as FreeBSD) do not.  For FreeBSD, the package is named ca\_root\_nss,
which will install the appropriate root certificates in
/usr/local/share/certs/ca-root-nss.crt.

Certificate verification will generally only work when connecting to
**`freenode.net`**. If your client thinks the server's certificate is invalid,
make sure you are connecting to `chat.freenode.net` rather than any other name
that leads to freenode.

For most clients this should be sufficient. If not, you can download the root
certificate from
[LetsEncrypt](https://letsencrypt.org/certificates/).

Client SSL certificates are also supported, and may be used for identification
to services. See [this kb article](kb/using/certfp). If you have connected with
a client certificate, _has client certificate fingerprint
f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1
fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric).

## Accessing freenode Via Tor

freenode is also reachable via [Tor<i class="fa fa-external-link"
aria-hidden="true"></i>](https://www.torproject.org/), bound to some
restrictions. You can't directly connect to chat.freenode.net via Tor; use
the following hidden service as the server address instead:

    freenodeok2gncmy.onion

The hidden service requires SASL authentication. In addition, due to the abuse
that led Tor access to be disabled in the past, we have unfortunately had to
add another couple of restrictions:

- You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
  below)
- If you log out while connected via Tor, you will not be able to log in
  without reconnecting.

If you haven't set up the requisite SASL authentication, we recommend SASL
EXTERNAL. You'll need to generate a client certificate and add that to your
NickServ account. This is documented [in our knowledge base](kb/using/certfp).

Connecting using SASL EXTERNAL requires that you connect using SSL encryption.

Note that due to the SSL certificates not matching the hidden service, you
might have to disable the verification in your client. If your client supports
*key* pinning, you can verify our Tor server's public key fingerprint:

    E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D

You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
comprehensive documentation for this, but it's a feature in most modern
clients, so please check their docs for instructions for now.
Commit	Line	Data
de97d234	1	Title: Connecting to freenode
c7279396	2	Slug: chat
c7279396	3	---
c7279396	4
05b3480d EK	5	The freenode network can be accessed via the [freenode
	6	webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat,
	7	ERC, HexChat, Smuxi, Quassel or mIRC.
	8
	9	You can connect to freenode by pointing your IRC client at `chat.freenode.net`
	10	on ports 6665-6667 and 8000-8002.
a1b22831 CD	11
a1b22831 CD	12	## Accessing freenode Via SSL
a1b22831	13
05b3480d EK	14	freenode provides SSL client access on all servers, on ports 6697, 7000 and
	15	7070. Users connecting over SSL will be given user mode +Z, and _is using a
	16	secure connection_ will appear in WHOIS (a 671 numeric). Webchat users will not
	17	currently appear with +Z or the 671 numeric, even if they connect to webchat
	18	via SSL.
	19
	20	In order to verify the server certificates on connection, some additional work
	21	may be required. First, ensure that your system has an up-to-date set of root
	22	CA certificates. On most linux distributions this will be in a package named
	23	something like ca-certificates. Many systems install these by default, but some
	24	(such as FreeBSD) do not. For FreeBSD, the package is named ca\_root\_nss,
	25	which will install the appropriate root certificates in
	26	/usr/local/share/certs/ca-root-nss.crt.
a1b22831	27
05b3480d EK	28	Certificate verification will generally only work when connecting to
	29	`freenode.net`. If your client thinks the server's certificate is invalid,
	30	make sure you are connecting to `chat.freenode.net` rather than any other name
	31	that leads to freenode.
debd708e	32
3f819807 EK	33	For most clients this should be sufficient. If not, you can download the root
3f819807 EK	34	certificate from
29ce2dd1	35	[LetsEncrypt](https://letsencrypt.org/certificates/).
a1b22831	36
05b3480d EK	37	Client SSL certificates are also supported, and may be used for identification
	38	to services. See [this kb article](kb/using/certfp). If you have connected with
	39	a client certificate, _has client certificate fingerprint
	40	f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1
	41	fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric).
6da654fb CFL	42
	43	## Accessing freenode Via Tor
	44
05b3480d EK	45	freenode is also reachable via [Tor<i class="fa fa-external-link"
05b3480d EK	46	aria-hidden="true"></i>](https://www.torproject.org/), bound to some
3f819807 EK	47	restrictions. You can't directly connect to chat.freenode.net via Tor; use
3f819807 EK	48	the following hidden service as the server address instead:
6da654fb CFL	49
	50	freenodeok2gncmy.onion
	51
05b3480d EK	52	The hidden service requires SASL authentication. In addition, due to the abuse
	53	that led Tor access to be disabled in the past, we have unfortunately had to
	54	add another couple of restrictions:
6da654fb	55
3f819807	56	- You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
05b3480d EK	57	below)
	58	- If you log out while connected via Tor, you will not be able to log in
	59	without reconnecting.
6da654fb CFL	60
	61	If you haven't set up the requisite SASL authentication, we recommend SASL
	62	EXTERNAL. You'll need to generate a client certificate and add that to your
c3260969	63	NickServ account. This is documented [in our knowledge base](kb/using/certfp).
05b3480d	64
3e7dd983 DP	65	Connecting using SASL EXTERNAL requires that you connect using SSL encryption.
3e7dd983 DP	66
3f819807 EK	67	Note that due to the SSL certificates not matching the hidden service, you
	68	might have to disable the verification in your client. If your client supports
	69	key pinning, you can verify our Tor server's public key fingerprint:
05b3480d EK	70
05b3480d EK	71	E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D
6da654fb CFL	72
	73	You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
	74	comprehensive documentation for this, but it's a feature in most modern
	75	clients, so please check their docs for instructions for now.