]>
Commit | Line | Data |
---|---|---|
1 | Title: Connecting to freenode | |
2 | Slug: chat | |
3 | --- | |
4 | ||
5 | The freenode network can be accessed via the [freenode | |
6 | webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat, | |
7 | ERC, HexChat, Smuxi, Quassel or mIRC. | |
8 | ||
9 | You can connect to freenode by pointing your IRC client at `chat.freenode.net` | |
10 | on ports 6665-6667 and 8000-8002 for plain-text connections, or ports 6697, 7000 | |
11 | and 7070 for SSL-encrypted connections. | |
12 | ||
13 | ## Accessing freenode Via SSL | |
14 | ||
15 | freenode provides SSL client access on all servers, on ports 6697, 7000 and | |
16 | 7070. Users connecting over SSL will be given user mode +Z, and _is using a | |
17 | secure connection_ will appear in WHOIS (a 671 numeric). Webchat users will not | |
18 | currently appear with +Z or the 671 numeric, even if they connect to webchat | |
19 | via SSL. | |
20 | ||
21 | In order to verify the server certificates on connection, some additional work | |
22 | may be required. First, ensure that your system has an up-to-date set of root | |
23 | CA certificates. On most linux distributions this will be in a package named | |
24 | something like ca-certificates. Many systems install these by default, but some | |
25 | (such as FreeBSD) do not. For FreeBSD, the package is named ca\_root\_nss, | |
26 | which will install the appropriate root certificates in | |
27 | /usr/local/share/certs/ca-root-nss.crt. | |
28 | ||
29 | Certificate verification will generally only work when connecting to | |
30 | **`freenode.net`**. If your client thinks the server's certificate is invalid, | |
31 | make sure you are connecting to `chat.freenode.net` rather than any other name | |
32 | that leads to freenode. | |
33 | ||
34 | For most clients this should be sufficient. If not, you can download the root | |
35 | certificate from | |
36 | [LetsEncrypt](https://letsencrypt.org/certificates/). | |
37 | ||
38 | Client SSL certificates are also supported, and may be used for identification | |
39 | to services. See [this kb article](kb/using/certfp). If you have connected with | |
40 | a client certificate, _has client certificate fingerprint | |
41 | f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1 | |
42 | fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric). | |
43 | ||
44 | ## Accessing freenode Via Tor | |
45 | ||
46 | freenode is also reachable via [Tor<i class="fa fa-external-link" | |
47 | aria-hidden="true"></i>](https://www.torproject.org/), bound to some | |
48 | restrictions. You can't directly connect to chat.freenode.net via Tor; use | |
49 | the following hidden service as the server address instead: | |
50 | ||
51 | freenodeok2gncmy.onion | |
52 | ||
53 | The hidden service requires SASL authentication. In addition, due to the abuse | |
54 | that led Tor access to be disabled in the past, we have unfortunately had to | |
55 | add another couple of restrictions: | |
56 | ||
57 | - You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more | |
58 | below) | |
59 | - If you log out while connected via Tor, you will not be able to log in | |
60 | without reconnecting. | |
61 | ||
62 | If you haven't set up the requisite SASL authentication, we recommend SASL | |
63 | EXTERNAL. You'll need to generate a client certificate and add that to your | |
64 | NickServ account. This is documented [in our knowledge base](kb/using/certfp). | |
65 | ||
66 | Connecting using SASL EXTERNAL requires that you connect using SSL encryption. | |
67 | ||
68 | Note that due to the SSL certificates not matching the hidden service, you | |
69 | might have to disable the verification in your client. If your client supports | |
70 | *key* pinning, you can verify our Tor server's public key fingerprint: | |
71 | ||
72 | E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D | |
73 | ||
74 | You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack | |
75 | comprehensive documentation for this, but it's a feature in most modern | |
76 | clients, so please check their docs for instructions for now. |