]>
Commit | Line | Data |
---|---|---|
c3260969 EK |
1 | --- |
2 | Title: CertFP | |
3 | Slug: certfp | |
4 | --- | |
5 | ||
6 | As an alternative to password-based authentication, you can connect to freenode | |
7 | with a TLS certificate and have services recognise it automatically. | |
8 | ||
9 | Creating a self-signed certificate | |
10 | ================================== | |
11 | ||
12 | In order to follow these instructions, you will need the `openssl` utility. If | |
13 | you are using Windows and do not have a copy, you might consider using Cygwin. | |
14 | ||
15 | You can generate a certificate with the following command: | |
16 | ||
52b1f108 | 17 | openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem |
c3260969 EK |
18 | |
19 | You will be prompted for various pieces of information about the certificate. | |
20 | The contents do not matter for our purposes, but `openssl` needs at least one of | |
21 | them to be non-empty. | |
22 | ||
23 | The `.pem` file will have the same access to your NickServ account as your | |
24 | password does, so take appropriate care in securing it. | |
25 | ||
26 | Under Unix-like environments, the following command: | |
27 | ||
28 | openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1 | |
29 | ||
30 | will list the certificate fingerprint. | |
31 | ||
32 | ||
33 | Connecting to freenode with your certificate | |
34 | ============================================ | |
35 | ||
36 | IRC clients generally differ in where they look for a certificate and how you | |
37 | configure them to offer it to the server. If yours is not yet listed here, | |
38 | advice in this section is unlikely to apply, but guides may be available | |
39 | elsewhere on the web. | |
40 | ||
41 | irssi | |
42 | ----- | |
43 | ||
44 | Move the certificates you created above to ~/.irssi/certs | |
45 | ||
46 | mkdir ~/.irssi/certs | |
47 | mv freenode.pem ~/.irssi/certs | |
48 | ||
49 | Now configure your `/server` entry for freenode to use this certificate. You | |
50 | may need to adapt this example for your existing configuration (the network | |
51 | and hostname should match what you already use). | |
52 | ||
53 | /server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697 | |
54 | ||
55 | weechat | |
56 | ------- | |
57 | ||
58 | Move the certificates you created above to ~/.weechat/certs | |
59 | ||
60 | mkdir ~/.weechat/certs | |
61 | mv nick.pem ~/.weechat/certs | |
62 | ||
63 | Now disconnect and remove the current freenode server(s). Re-add it with the | |
64 | SSL flag, using your newly generated certificate. Note that these commands are | |
65 | just examples, you have to adapt them to your current servers. | |
66 | ||
67 | /set irc.server.freenode.addresses chat.freenode.net/6697 | |
68 | /set irc.server.freenode.ssl on | |
69 | /set irc.server.freenode.ssl_verify on | |
70 | /set irc.server.freenode.ssl_cert %h/certs/nick.pem | |
71 | /set irc.server.freenode.sasl_mechanism external | |
72 | ||
73 | and then reconnect to freenode. | |
74 | ||
75 | znc | |
76 | --- | |
77 | ||
78 | Refer to znc's [official documentation](http://wiki.znc.in/Cert). | |
79 | ||
47a5da6e | 80 | HexChat |
81 | ------- | |
82 | ||
83 | The pem file should be placed in `certs/network name.pem` in the HexChat config directory (`~/.config/hexchat/` or `%appdata%\HexChat`), where `network name` is the name of the network as it appears in the network list (Ctrl-S). Note that the `certs` directory does not exist by default and you will have to create it yourself. Once the file is there, all subsequent SSL connections to that network will be using the certificate. | |
84 | ||
c3260969 EK |
85 | |
86 | Add your fingerprint to NickServ | |
87 | ================================ | |
88 | ||
89 | You can then check whether you have a fingerprint by using `whois` on yourself: | |
90 | ||
91 | /whois YourOwnNick | |
92 | ... | |
93 | YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a | |
94 | ... | |
95 | ||
96 | To allow NickServ to recognise you based on your certificate, you need to add | |
97 | the fingerprint to your account (you will need to log in by other means in order | |
98 | to do so). | |
99 | ||
100 | You can then authorise your current certificate fingerprint: | |
101 | ||
102 | /msg NickServ CERT ADD | |
103 | ||
104 | In the future, any connections you make to freenode with your certificate will | |
105 | be logged into your account automatically. Optionally, or if you wish to connect | |
106 | via Tor, you can enable SASL with the `EXTERNAL` mechanism. |