]>
Commit | Line | Data |
---|---|---|
de97d234 | 1 | Title: Connecting to freenode |
c7279396 | 2 | Slug: chat |
3 | --- | |
c7279396 | 4 | |
05b3480d EK |
5 | The freenode network can be accessed via the [freenode |
6 | webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat, | |
7 | ERC, HexChat, Smuxi, Quassel or mIRC. | |
8 | ||
9 | You can connect to freenode by pointing your IRC client at `chat.freenode.net` | |
7d5bfc26 | 10 | on ports 6665-6667 and 8000-8002 for plain-text connections, or ports 6697, 7000 |
3ca39502 | 11 | and 7070 for TLS-encrypted connections. |
a1b22831 | 12 | |
3ca39502 | 13 | ## Accessing freenode Via TLS |
a1b22831 | 14 | |
3ca39502 EM |
15 | freenode provides TLS client access on all servers, on ports 6697, 7000 and |
16 | 7070. Users connecting over TLS will be given user mode +Z, and _is using a | |
dac9cb26 | 17 | secure connection_ will appear in WHOIS (a 671 numeric). |
05b3480d EK |
18 | |
19 | In order to verify the server certificates on connection, some additional work | |
20 | may be required. First, ensure that your system has an up-to-date set of root | |
21 | CA certificates. On most linux distributions this will be in a package named | |
22 | something like ca-certificates. Many systems install these by default, but some | |
23 | (such as FreeBSD) do not. For FreeBSD, the package is named ca\_root\_nss, | |
24 | which will install the appropriate root certificates in | |
25 | /usr/local/share/certs/ca-root-nss.crt. | |
a1b22831 | 26 | |
05b3480d EK |
27 | Certificate verification will generally only work when connecting to |
28 | **`freenode.net`**. If your client thinks the server's certificate is invalid, | |
29 | make sure you are connecting to `chat.freenode.net` rather than any other name | |
30 | that leads to freenode. | |
debd708e | 31 | |
3f819807 EK |
32 | For most clients this should be sufficient. If not, you can download the root |
33 | certificate from | |
29ce2dd1 | 34 | [LetsEncrypt](https://letsencrypt.org/certificates/). |
a1b22831 | 35 | |
3ca39502 | 36 | Client TLS certificates are also supported, and may be used for identification |
05b3480d EK |
37 | to services. See [this kb article](kb/using/certfp). If you have connected with |
38 | a client certificate, _has client certificate fingerprint | |
39 | f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1 | |
40 | fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric). | |
6da654fb CFL |
41 | |
42 | ## Accessing freenode Via Tor | |
43 | ||
05b3480d EK |
44 | freenode is also reachable via [Tor<i class="fa fa-external-link" |
45 | aria-hidden="true"></i>](https://www.torproject.org/), bound to some | |
3f819807 EK |
46 | restrictions. You can't directly connect to chat.freenode.net via Tor; use |
47 | the following hidden service as the server address instead: | |
6da654fb | 48 | |
c278d82d D |
49 | ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion |
50 | ||
05b3480d EK |
51 | The hidden service requires SASL authentication. In addition, due to the abuse |
52 | that led Tor access to be disabled in the past, we have unfortunately had to | |
53 | add another couple of restrictions: | |
6da654fb | 54 | |
3f819807 | 55 | - You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more |
05b3480d EK |
56 | below) |
57 | - If you log out while connected via Tor, you will not be able to log in | |
58 | without reconnecting. | |
6da654fb CFL |
59 | |
60 | If you haven't set up the requisite SASL authentication, we recommend SASL | |
61 | EXTERNAL. You'll need to generate a client certificate and add that to your | |
c3260969 | 62 | NickServ account. This is documented [in our knowledge base](kb/using/certfp). |
05b3480d | 63 | |
3ca39502 | 64 | Connecting using SASL EXTERNAL requires that you connect using TLS encryption. |
3e7dd983 | 65 | |
6da654fb CFL |
66 | You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack |
67 | comprehensive documentation for this, but it's a feature in most modern | |
68 | clients, so please check their docs for instructions for now. | |
50e402f7 EM |
69 | |
70 | ### Verifying Tor TLS connections | |
71 | ||
c54c1e2e | 72 | A Tor hidden service name securely identifies the service you are connecting to. Verifying the TLS server certificate is strickly-speaking unnecessary while using the hidden service. Nonetheless the following methods can be used to verify the hidden service's TLS server certificate. |
50e402f7 | 73 | |
c54c1e2e | 74 | The best way to ensure the TLS server-side certificate successfully validates is to add the following fragment to your `torrc` configuration file and configure your client to connect to `zettel.freenode.net` via Tor. The TLS server certificate used by the hidden service will validate using this hostname. |
50e402f7 EM |
75 | |
76 | # torrc snippet: | |
77 | MapAddress zettel.freenode.net ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion | |
78 | ||
79 | Older clients that don't support SOCKS4a or later will need to use `MapAddress` with an IP address, and the certificate will not validate successfully. In this case validation will need to be disabled. | |
80 | ||
81 | Note that the hidden service's certificate changes periodically as it is updated. This means that the *certificate fingerprint* can not be reliably pinned. A few clients support *public key pinning*, however. For these clients the following *public key fingerprint* can be pinned: | |
82 | ||
83 | # sha256 public key fingerprint | |
84 | E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D |