]>
Commit | Line | Data |
---|---|---|
6da654fb | 1 | Title: NickServ and certificates |
a987a2da | 2 | Slug: certfp |
6da654fb CFL |
3 | --- |
4 | ||
5 | You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external. | |
6 | In order to do so, you need an IRC client which supports SSL with a client certificate. | |
7 | ||
8 | Creating a self-signed certificate | |
9 | ================================== | |
10 | ||
11 | First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows. | |
12 | ||
13 | To generate a certificate and key, the `openssl` command can be used with the 'req' option. | |
14 | ||
a987a2da | 15 | openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -out freenode.pem -keyout freenode.pem |
6da654fb CFL |
16 | |
17 | Fill out the fields as you wish, it does not matter whether you put in correct address information or not. | |
18 | ||
a987a2da CFL |
19 | Note that the resulting file should be placed on secure storage, with correct permissions |
20 | (e.g. `chmod 400` for on unix like systems) and not given to third parties. | |
6da654fb CFL |
21 | You can also protect your key with a password if your client can handle that. |
22 | ||
a987a2da CFL |
23 | If you want to already perform the steps on adding the information to your NickServ account, |
24 | which are described at the end of this article, you need to get the fingerprint. The command | |
25 | ||
26 | openssl x509 -in .irssi/certs/freenode.pem -outform der | sha1sum | cut -d' ' -f1 | |
27 | ||
28 | will list the fingerprint so you can write it down or copy it. | |
29 | ||
6da654fb CFL |
30 | |
31 | Connecting to freenode with your certificate | |
32 | ============================================ | |
33 | ||
34 | How you have to add the certificate depends on your client. | |
35 | If the one you are using is not listed here yet, please consult your client's documentation. | |
36 | Documentation for various clients is also available on the website of our friends at | |
37 | [OFTC<i class="fa fa-external-link" aria-hidden="true"></i>](https://www.oftc.net/NickServ/CertFP/), | |
38 | most of it can be adopted to freenode by just changing the server address. | |
39 | We are also open to pull requests to add new clients. | |
40 | ||
41 | irssi | |
42 | ----- | |
43 | ||
44 | Move the certificates you created above to ~/.irssi/certs | |
45 | ||
46 | mkdir ~/.irssi/certs | |
d68ff0ce | 47 | mv nick.pem ~/.irssi/certs |
6da654fb CFL |
48 | |
49 | Now remove the current freenode server(s) and re-add it with the SSL flag, | |
50 | using your newly generated certificate. Note that these commands are just examples, | |
51 | you have to adapt them to your current networks and servers. | |
52 | ||
53 | /server remove chat.freenode.net | |
54 | /network add freenode | |
55 | /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net 6697 | |
56 | ||
57 | Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate | |
58 | won't match the hidden service. | |
59 | ||
60 | weechat | |
61 | ------- | |
62 | ||
63 | Move the certificates you created above to ~/.weechat/certs | |
64 | ||
65 | mkdir ~/.weechat/certs | |
d68ff0ce | 66 | mv nick.pem ~/.weechat/certs |
6da654fb CFL |
67 | |
68 | Now disconnect and remove the current freenode server(s). | |
69 | Re-add it with the SSL flag, using your newly generated certificate. | |
a987a2da CFL |
70 | Note that these commands are just examples, |
71 | you have to adapt them to your current servers. | |
6da654fb CFL |
72 | |
73 | /disconnect freenode | |
74 | /server del freenode | |
75 | /server add freenode chat.freenode.net/6697 -ssl -ssl_verify -autoconnect | |
76 | /set irc.server.freenode.ssl_cert %h/certs/nick.pem | |
77 | ||
78 | and then reconnect to freenode. | |
79 | ||
80 | znc | |
81 | --- | |
82 | ||
83 | znc provides an official documentation in | |
84 | [their wiki<i class="fa fa-external-link" aria-hidden="true"></i>](http://en.znc.in/wiki/Cert) | |
85 | ||
86 | ||
87 | Add your fingerprint to NickServ | |
88 | ================================ | |
89 | ||
90 | If you added the certificate to your client you can now connect to freenode. | |
91 | You can then check whether you have a fingerprint by using `whois` on yourself: | |
92 | ||
93 | /whois YourOwnNick | |
94 | ... | |
95 | YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a | |
96 | ... | |
97 | ||
98 | This means that your certificate is working. | |
99 | ||
100 | To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account. | |
101 | If you are not identified with NickServ, then do so now. See `/msg nickserv help identify` if needed. | |
102 | ||
a987a2da CFL |
103 | Afterwards you can add the fingerprint with the `CERT ADD` command. |
104 | If you are connected using the certificate and the correct fingerprint shows in `whois`, you can just issue | |
105 | ||
106 | /msg NickServ CERT ADD | |
107 | ||
108 | Otherwise you have to specify the fingerprint as parameter | |
6da654fb CFL |
109 | |
110 | /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a | |
111 | ||
112 | Nickserv will message back saying that the fingerprint was added. | |
113 | You can now use it to identify via CertFP or SASL EXTERNAL. | |
114 | Please refer to your client documentation on how to do so. |