]>
Commit | Line | Data |
---|---|---|
c3260969 EK |
1 | --- |
2 | Title: CertFP | |
3 | Slug: certfp | |
4 | --- | |
5 | ||
6 | As an alternative to password-based authentication, you can connect to freenode | |
7 | with a TLS certificate and have services recognise it automatically. | |
8 | ||
fe904693 DP |
9 | For SASL EXTERNAL to work, you must connect over SSL. |
10 | ||
c3260969 EK |
11 | Creating a self-signed certificate |
12 | ================================== | |
13 | ||
14 | In order to follow these instructions, you will need the `openssl` utility. If | |
15 | you are using Windows and do not have a copy, you might consider using Cygwin. | |
16 | ||
17 | You can generate a certificate with the following command: | |
18 | ||
52b1f108 | 19 | openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem |
c3260969 EK |
20 | |
21 | You will be prompted for various pieces of information about the certificate. | |
22 | The contents do not matter for our purposes, but `openssl` needs at least one of | |
23 | them to be non-empty. | |
24 | ||
25 | The `.pem` file will have the same access to your NickServ account as your | |
26 | password does, so take appropriate care in securing it. | |
27 | ||
28 | Under Unix-like environments, the following command: | |
29 | ||
30 | openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1 | |
31 | ||
32 | will list the certificate fingerprint. | |
33 | ||
34 | ||
35 | Connecting to freenode with your certificate | |
36 | ============================================ | |
37 | ||
38 | IRC clients generally differ in where they look for a certificate and how you | |
39 | configure them to offer it to the server. If yours is not yet listed here, | |
40 | advice in this section is unlikely to apply, but guides may be available | |
41 | elsewhere on the web. | |
42 | ||
43 | irssi | |
44 | ----- | |
45 | ||
46 | Move the certificates you created above to ~/.irssi/certs | |
47 | ||
48 | mkdir ~/.irssi/certs | |
49 | mv freenode.pem ~/.irssi/certs | |
50 | ||
51 | Now configure your `/server` entry for freenode to use this certificate. You | |
52 | may need to adapt this example for your existing configuration (the network | |
53 | and hostname should match what you already use). | |
54 | ||
55 | /server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697 | |
56 | ||
57 | weechat | |
58 | ------- | |
59 | ||
60 | Move the certificates you created above to ~/.weechat/certs | |
61 | ||
62 | mkdir ~/.weechat/certs | |
a738a77e | 63 | mv freenode.pem ~/.weechat/certs |
c3260969 EK |
64 | |
65 | Now disconnect and remove the current freenode server(s). Re-add it with the | |
66 | SSL flag, using your newly generated certificate. Note that these commands are | |
67 | just examples, you have to adapt them to your current servers. | |
68 | ||
69 | /set irc.server.freenode.addresses chat.freenode.net/6697 | |
70 | /set irc.server.freenode.ssl on | |
71 | /set irc.server.freenode.ssl_verify on | |
a738a77e | 72 | /set irc.server.freenode.ssl_cert %h/certs/freenode.pem |
c3260969 EK |
73 | /set irc.server.freenode.sasl_mechanism external |
74 | ||
75 | and then reconnect to freenode. | |
76 | ||
77 | znc | |
78 | --- | |
79 | ||
80 | Refer to znc's [official documentation](http://wiki.znc.in/Cert). | |
81 | ||
47a5da6e | 82 | HexChat |
83 | ------- | |
84 | ||
b44d1345 | 85 | Place the .pem file in `certs/client.pem` in the HexChat config |
e04c9d68 | 86 | directory (`~/.config/hexchat/` or `%appdata%\HexChat`). Note |
b58d62b7 | 87 | that the `certs` directory does not exist by default and you will have to |
e04c9d68 D |
88 | create it yourself. Once the file is there, all subsequent SSL connections |
89 | will use the certificate. | |
47a5da6e | 90 | |
81398357 D |
91 | If you connect to multiple IRC networks, you should keep in mind that using the |
92 | filename `certs/client.pem` will send the same certificate to all networks. If | |
93 | you prefer per-network certificates, use the name of the network exactly | |
94 | as it appears in the network list (Ctrl-S), including capitalisation and | |
95 | punctuation (e.g. `certs/freenode.pem` or `certs/Example Server.pem`). | |
96 | ||
dab38ee0 CFL |
97 | Konversation |
98 | ------------ | |
99 | ||
b44d1345 | 100 | Create the .pem file as per above, then place it wherever you want. |
dab38ee0 CFL |
101 | Start Konversation, then open the Identity dialogue by either pressing F8 |
102 | or via the Settings menu entry. Choose the identity you use for the | |
103 | freenode network or create a new one. | |
104 | In the part `Auto Identity` you have to choose `SASL External (Cert)` | |
105 | as the `Type` for SASL External or `SSL CLient Certificate` for CertFP. | |
106 | SASL External requires at least version 1.7 of Konversation. | |
107 | Optionally fill in your account name in the `Account`field. | |
108 | You can then choose the certificate you created with the file picker | |
109 | or enter the path manually in the field next to it. | |
110 | Once done, apply the configuration and (re)connect to freenode. | |
c3260969 | 111 | |
19b15d59 | 112 | Revolution |
113 | ---------- | |
114 | ||
115 | Create the .pem file as per above, transfer it to your Android device, and place | |
116 | it wherever you want (`Downloads` is a common location). | |
117 | Start Revolution and navigate to the `Manage servers` screen if you are not | |
118 | there already, long-press on the server you wish configure certfp for, and | |
119 | select `Edit`. When presented with the `Edit a server` screen, tap on | |
120 | `Authentication mode` and select `Client certificate (CertFP)`, then tap on | |
121 | `IMPORT PEM` and navigate to where where you put the pem file and select it. | |
122 | Tap the tick symbol on the top right of the `Edit a server` screen to save. | |
123 | ||
124 | Alternatively, Revolution has the ability to generate a client certificate for you. | |
125 | Once you are presented with `IMPORT PEM`, there will also be an option to `CREATE NEW` | |
126 | and when you tap this, a certificate will be randomly generated and a certicate | |
127 | fingerprint will be displayed. Tap the tick symbol on the top right of the screen | |
128 | to save. | |
129 | ||
c3260969 EK |
130 | Add your fingerprint to NickServ |
131 | ================================ | |
132 | ||
133 | You can then check whether you have a fingerprint by using `whois` on yourself: | |
134 | ||
135 | /whois YourOwnNick | |
136 | ... | |
137 | YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a | |
138 | ... | |
139 | ||
140 | To allow NickServ to recognise you based on your certificate, you need to add | |
141 | the fingerprint to your account (you will need to log in by other means in order | |
142 | to do so). | |
143 | ||
144 | You can then authorise your current certificate fingerprint: | |
145 | ||
146 | /msg NickServ CERT ADD | |
147 | ||
148 | In the future, any connections you make to freenode with your certificate will | |
149 | be logged into your account automatically. Optionally, or if you wish to connect | |
150 | via Tor, you can enable SASL with the `EXTERNAL` mechanism. |