]>
Commit | Line | Data |
---|---|---|
c3260969 EK |
1 | --- |
2 | Title: CertFP | |
3 | Slug: certfp | |
4 | --- | |
5 | ||
6 | As an alternative to password-based authentication, you can connect to freenode | |
7 | with a TLS certificate and have services recognise it automatically. | |
8 | ||
9 | Creating a self-signed certificate | |
10 | ================================== | |
11 | ||
12 | In order to follow these instructions, you will need the `openssl` utility. If | |
13 | you are using Windows and do not have a copy, you might consider using Cygwin. | |
14 | ||
15 | You can generate a certificate with the following command: | |
16 | ||
52b1f108 | 17 | openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem |
c3260969 EK |
18 | |
19 | You will be prompted for various pieces of information about the certificate. | |
20 | The contents do not matter for our purposes, but `openssl` needs at least one of | |
21 | them to be non-empty. | |
22 | ||
23 | The `.pem` file will have the same access to your NickServ account as your | |
24 | password does, so take appropriate care in securing it. | |
25 | ||
26 | Under Unix-like environments, the following command: | |
27 | ||
28 | openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1 | |
29 | ||
30 | will list the certificate fingerprint. | |
31 | ||
32 | ||
33 | Connecting to freenode with your certificate | |
34 | ============================================ | |
35 | ||
36 | IRC clients generally differ in where they look for a certificate and how you | |
37 | configure them to offer it to the server. If yours is not yet listed here, | |
38 | advice in this section is unlikely to apply, but guides may be available | |
39 | elsewhere on the web. | |
40 | ||
41 | irssi | |
42 | ----- | |
43 | ||
44 | Move the certificates you created above to ~/.irssi/certs | |
45 | ||
46 | mkdir ~/.irssi/certs | |
47 | mv freenode.pem ~/.irssi/certs | |
48 | ||
49 | Now configure your `/server` entry for freenode to use this certificate. You | |
50 | may need to adapt this example for your existing configuration (the network | |
51 | and hostname should match what you already use). | |
52 | ||
53 | /server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697 | |
54 | ||
55 | weechat | |
56 | ------- | |
57 | ||
58 | Move the certificates you created above to ~/.weechat/certs | |
59 | ||
60 | mkdir ~/.weechat/certs | |
a738a77e | 61 | mv freenode.pem ~/.weechat/certs |
c3260969 EK |
62 | |
63 | Now disconnect and remove the current freenode server(s). Re-add it with the | |
64 | SSL flag, using your newly generated certificate. Note that these commands are | |
65 | just examples, you have to adapt them to your current servers. | |
66 | ||
67 | /set irc.server.freenode.addresses chat.freenode.net/6697 | |
68 | /set irc.server.freenode.ssl on | |
69 | /set irc.server.freenode.ssl_verify on | |
a738a77e | 70 | /set irc.server.freenode.ssl_cert %h/certs/freenode.pem |
c3260969 EK |
71 | /set irc.server.freenode.sasl_mechanism external |
72 | ||
73 | and then reconnect to freenode. | |
74 | ||
75 | znc | |
76 | --- | |
77 | ||
78 | Refer to znc's [official documentation](http://wiki.znc.in/Cert). | |
79 | ||
47a5da6e | 80 | HexChat |
81 | ------- | |
82 | ||
b58d62b7 EK |
83 | The pem file should be placed in `certs/network name.pem` in the HexChat config |
84 | directory (`~/.config/hexchat/` or `%appdata%\HexChat`), where `network name` | |
85 | is the name of the network as it appears in the network list (Ctrl-S). Note | |
86 | that the `certs` directory does not exist by default and you will have to | |
87 | create it yourself. Once the file is there, all subsequent SSL connections to | |
88 | that network will use the certificate. | |
47a5da6e | 89 | |
dab38ee0 CFL |
90 | Konversation |
91 | ------------ | |
92 | ||
93 | Create the pem file as per above, then place it wherever you want. | |
94 | Start Konversation, then open the Identity dialogue by either pressing F8 | |
95 | or via the Settings menu entry. Choose the identity you use for the | |
96 | freenode network or create a new one. | |
97 | In the part `Auto Identity` you have to choose `SASL External (Cert)` | |
98 | as the `Type` for SASL External or `SSL CLient Certificate` for CertFP. | |
99 | SASL External requires at least version 1.7 of Konversation. | |
100 | Optionally fill in your account name in the `Account`field. | |
101 | You can then choose the certificate you created with the file picker | |
102 | or enter the path manually in the field next to it. | |
103 | Once done, apply the configuration and (re)connect to freenode. | |
c3260969 EK |
104 | |
105 | Add your fingerprint to NickServ | |
106 | ================================ | |
107 | ||
108 | You can then check whether you have a fingerprint by using `whois` on yourself: | |
109 | ||
110 | /whois YourOwnNick | |
111 | ... | |
112 | YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a | |
113 | ... | |
114 | ||
115 | To allow NickServ to recognise you based on your certificate, you need to add | |
116 | the fingerprint to your account (you will need to log in by other means in order | |
117 | to do so). | |
118 | ||
119 | You can then authorise your current certificate fingerprint: | |
120 | ||
121 | /msg NickServ CERT ADD | |
122 | ||
123 | In the future, any connections you make to freenode with your certificate will | |
124 | be logged into your account automatically. Optionally, or if you wish to connect | |
125 | via Tor, you can enable SASL with the `EXTERNAL` mechanism. |