content/kb/connect/chat.md

   1 Title: Connecting to freenode
   2 Slug: chat
   3 ---
   4
   5 The freenode network can be accessed via the [freenode
   6 webchat](//webchat.freenode.net) or using an IRC client such as irssi, WeeChat,
   7 ERC, HexChat, Smuxi, Quassel or mIRC.
   8
   9 You can connect to freenode by pointing your IRC client at `chat.freenode.net`
  10 on ports 6665-6667 and 8000-8002.
  11
  12 ## Accessing freenode Via SSL
  13
  14 freenode provides SSL client access on all servers, on ports 6697, 7000 and
  15 7070. Users connecting over SSL will be given user mode +Z, and _is using a
  16 secure connection_ will appear in WHOIS (a 671 numeric). Webchat users will not
  17 currently appear with +Z or the 671 numeric, even if they connect to webchat
  18 via SSL.
  19
  20 In order to verify the server certificates on connection, some additional work
  21 may be required. First, ensure that your system has an up-to-date set of root
  22 CA certificates. On most linux distributions this will be in a package named
  23 something like ca-certificates. Many systems install these by default, but some
  24 (such as FreeBSD) do not.  For FreeBSD, the package is named ca\_root\_nss,
  25 which will install the appropriate root certificates in
  26 /usr/local/share/certs/ca-root-nss.crt.
  27
  28 Certificate verification will generally only work when connecting to
  29 **`freenode.net`**. If your client thinks the server's certificate is invalid,
  30 make sure you are connecting to `chat.freenode.net` rather than any other name
  31 that leads to freenode.
  32
  33 For most clients this should be sufficient. If not, you can download the root
  34 certificate from
  35 [IdenTrust](https://www.identrust.com/certificates/trustid/root-download-x3.html).
  36
  37 Client SSL certificates are also supported, and may be used for identification
  38 to services. See [this kb article](kb/using/certfp). If you have connected with
  39 a client certificate, _has client certificate fingerprint
  40 f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1
  41 fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric).
  42
  43 ## Accessing freenode Via Tor
  44
  45 freenode is also reachable via [Tor<i class="fa fa-external-link"
  46 aria-hidden="true"></i>](https://www.torproject.org/), bound to some
  47 restrictions. You can't directly connect to chat.freenode.net via Tor; use
  48 the following hidden service as the server address instead:
  49
  50     freenodeok2gncmy.onion
  51
  52 The hidden service requires SASL authentication. In addition, due to the abuse
  53 that led Tor access to be disabled in the past, we have unfortunately had to
  54 add another couple of restrictions:
  55
  56 - You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
  57   below)
  58 - If you log out while connected via Tor, you will not be able to log in
  59   without reconnecting.
  60
  61 If you haven't set up the requisite SASL authentication, we recommend SASL
  62 EXTERNAL. You'll need to generate a client certificate and add that to your
  63 NickServ account. This is documented [in our knowledge base](kb/using/certfp).
  64
  65 Note that due to the SSL certificates not matching the hidden service, you
  66 might have to disable the verification in your client. If your client supports
  67 *key* pinning, you can verify our Tor server's public key fingerprint:
  68
  69     E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D
  70
  71 You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
  72 comprehensive documentation for this, but it's a feature in most modern
  73 clients, so please check their docs for instructions for now.