-Client SSL certificates are also supported, and may be used for identification
-to services via [CertFP](#). If you have connected with a client certificate,
-_has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_
-(showing your certificate's SHA1 fingerprint in place of _f1ecf46..._) will
-appear in WHOIS (a 276 numeric).
+ freenodeok2gncmy.onion
+
+The hidden service requires SASL authentication. In addition, due to the abuse
+that led Tor access to be disabled in the past, we have unfortunately had to
+add another couple of restrictions:
+
+- You must log in using SASL `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more
+ below)
+- If you log out while connected via Tor, you will not be able to log in
+ without reconnecting.
+
+If you haven't set up the requisite SASL authentication, we recommend SASL
+EXTERNAL. You'll need to generate a client certificate and add that to your
+NickServ account. This is documented [in our knowledge base](kb/using/certfp).
+
+Connecting using SASL EXTERNAL requires that you connect using SSL encryption.
+
+Note that due to the SSL certificates not matching the hidden service, you
+might have to disable the verification in your client. If your client supports
+*key* pinning, you can verify our Tor server's public key fingerprint:
+
+ E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D
+
+You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
+comprehensive documentation for this, but it's a feature in most modern
+clients, so please check their docs for instructions for now.