[irc/freenode/web-7.0.git] / content / kb / connect / chat.md

Title: Connecting to freenode
Slug: chat
---

The freenode network can be accessed via the [freenode
webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat,
ERC, HexChat, Smuxi, Quassel or mIRC.

You can connect to freenode by pointing your IRC client at `chat.freenode.net`
on ports 6665-6667 and 8000-8002 for plain-text connections, or ports 6697, 7000
and 7070 for TLS-encrypted connections.

## Accessing freenode Via TLS

freenode provides TLS client access on all servers, on ports 6697, 7000 and
7070. Users connecting over TLS will be given user mode +Z, and _is using a
secure connection_ will appear in WHOIS (a 671 numeric).

In order to verify the server certificates on connection, some additional work
may be required. First, ensure that your system has an up-to-date set of root
CA certificates. On most linux distributions this will be in a package named
something like ca-certificates. Many systems install these by default, but some
(such as FreeBSD) do not.  For FreeBSD, the package is named ca\_root\_nss,
which will install the appropriate root certificates in
/usr/local/share/certs/ca-root-nss.crt.

Certificate verification will generally only work when connecting to
**`freenode.net`**. If your client thinks the server's certificate is invalid,
make sure you are connecting to `chat.freenode.net` rather than any other name
that leads to freenode.

For most clients this should be sufficient. If not, you can download the root
certificate from
[LetsEncrypt](https://letsencrypt.org/certificates/).

Client TLS certificates are also supported, and may be used for identification
to services. See [this kb article](kb/using/certfp). If you have connected with
a client certificate, _has client certificate fingerprint
f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1
fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric).

## Accessing freenode Via Tor

freenode is also reachable via [Tor<i class="fa fa-external-link"
aria-hidden="true"></i>](https://www.torproject.org/), bound to some
restrictions. You can't directly connect to chat.freenode.net via Tor; use
the following hidden service as the server address instead:

    ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion

The hidden service requires SASL authentication. In addition, due to the abuse
that led Tor access to be disabled in the past, we have unfortunately had to
add another couple of restrictions:

- You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
  below)
- If you log out while connected via Tor, you will not be able to log in
  without reconnecting.

If you haven't set up the requisite SASL authentication, we recommend SASL
EXTERNAL. You'll need to generate a client certificate and add that to your
NickServ account. This is documented [in our knowledge base](kb/using/certfp).

Connecting using SASL EXTERNAL requires that you connect using TLS encryption.

You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
comprehensive documentation for this, but it's a feature in most modern
clients, so please check their docs for instructions for now.

### Verifying Tor TLS connections

A Tor hidden service name securely identifies the service you are connecting to. Verifying the TLS server certificate is strickly-speaking unnecessary while using the hidden service. Nonetheless the following methods can be used to verify the hidden service's TLS server certificate.

The best way to ensure the TLS server-side certificate successfully validates is to add the following fragment to your `torrc` configuration file and configure your client to connect to `zettel.freenode.net` via Tor. The TLS server certificate used by the hidden service will validate using this hostname.

    # torrc snippet:
    MapAddress zettel.freenode.net ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion

Older clients that don't support SOCKS4a or later will need to use `MapAddress` with an IP address, and the certificate will not validate successfully. In this case validation will need to be disabled.

Note that the hidden service's certificate changes periodically as it is updated. This means that the *certificate fingerprint* can not be reliably pinned. A few clients support *public key pinning*, however. For these clients the following *public key fingerprint* can be pinned:

    # sha256 public key fingerprint
    E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D
Commit	Line	Data
de97d234	1	Title: Connecting to freenode
c7279396	2	Slug: chat
c7279396	3	---
c7279396	4
05b3480d EK	5	The freenode network can be accessed via the [freenode
	6	webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat,
	7	ERC, HexChat, Smuxi, Quassel or mIRC.
	8
	9	You can connect to freenode by pointing your IRC client at `chat.freenode.net`
7d5bfc26	10	on ports 6665-6667 and 8000-8002 for plain-text connections, or ports 6697, 7000
3ca39502	11	and 7070 for TLS-encrypted connections.
a1b22831	12
3ca39502	13	## Accessing freenode Via TLS
a1b22831	14
3ca39502 EM	15	freenode provides TLS client access on all servers, on ports 6697, 7000 and
3ca39502 EM	16	7070. Users connecting over TLS will be given user mode +Z, and _is using a
dac9cb26	17	secure connection_ will appear in WHOIS (a 671 numeric).
05b3480d EK	18
	19	In order to verify the server certificates on connection, some additional work
	20	may be required. First, ensure that your system has an up-to-date set of root
	21	CA certificates. On most linux distributions this will be in a package named
	22	something like ca-certificates. Many systems install these by default, but some
	23	(such as FreeBSD) do not. For FreeBSD, the package is named ca\_root\_nss,
	24	which will install the appropriate root certificates in
	25	/usr/local/share/certs/ca-root-nss.crt.
a1b22831	26
05b3480d EK	27	Certificate verification will generally only work when connecting to
	28	`freenode.net`. If your client thinks the server's certificate is invalid,
	29	make sure you are connecting to `chat.freenode.net` rather than any other name
	30	that leads to freenode.
debd708e	31
3f819807 EK	32	For most clients this should be sufficient. If not, you can download the root
3f819807 EK	33	certificate from
29ce2dd1	34	[LetsEncrypt](https://letsencrypt.org/certificates/).
a1b22831	35
3ca39502	36	Client TLS certificates are also supported, and may be used for identification
05b3480d EK	37	to services. See [this kb article](kb/using/certfp). If you have connected with
	38	a client certificate, _has client certificate fingerprint
	39	f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1
	40	fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric).
6da654fb CFL	41
	42	## Accessing freenode Via Tor
	43
05b3480d EK	44	freenode is also reachable via [Tor<i class="fa fa-external-link"
05b3480d EK	45	aria-hidden="true"></i>](https://www.torproject.org/), bound to some
3f819807 EK	46	restrictions. You can't directly connect to chat.freenode.net via Tor; use
3f819807 EK	47	the following hidden service as the server address instead:
6da654fb	48
c278d82d D	49	ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
c278d82d D	50
05b3480d EK	51	The hidden service requires SASL authentication. In addition, due to the abuse
	52	that led Tor access to be disabled in the past, we have unfortunately had to
	53	add another couple of restrictions:
6da654fb	54
3f819807	55	- You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
05b3480d EK	56	below)
	57	- If you log out while connected via Tor, you will not be able to log in
	58	without reconnecting.
6da654fb CFL	59
	60	If you haven't set up the requisite SASL authentication, we recommend SASL
	61	EXTERNAL. You'll need to generate a client certificate and add that to your
c3260969	62	NickServ account. This is documented [in our knowledge base](kb/using/certfp).
05b3480d	63
3ca39502	64	Connecting using SASL EXTERNAL requires that you connect using TLS encryption.
3e7dd983	65
6da654fb CFL	66	You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
	67	comprehensive documentation for this, but it's a feature in most modern
	68	clients, so please check their docs for instructions for now.
50e402f7 EM	69
	70	### Verifying Tor TLS connections
	71
c54c1e2e	72	A Tor hidden service name securely identifies the service you are connecting to. Verifying the TLS server certificate is strickly-speaking unnecessary while using the hidden service. Nonetheless the following methods can be used to verify the hidden service's TLS server certificate.
50e402f7	73
c54c1e2e	74	The best way to ensure the TLS server-side certificate successfully validates is to add the following fragment to your `torrc` configuration file and configure your client to connect to `zettel.freenode.net` via Tor. The TLS server certificate used by the hidden service will validate using this hostname.
50e402f7 EM	75
	76	# torrc snippet:
	77	MapAddress zettel.freenode.net ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
	78
	79	Older clients that don't support SOCKS4a or later will need to use `MapAddress` with an IP address, and the certificate will not validate successfully. In this case validation will need to be disabled.
	80
	81	Note that the hidden service's certificate changes periodically as it is updated. This means that the certificate fingerprint can not be reliably pinned. A few clients support public key pinning, however. For these clients the following public key fingerprint can be pinned:
	82
	83	# sha256 public key fingerprint
	84	E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D