ERC, HexChat, Smuxi, Quassel or mIRC.
You can connect to freenode by pointing your IRC client at `chat.freenode.net`
-on ports 6665-6667 and 8000-8002.
+on ports 6665-6667 and 8000-8002 for plain-text connections, or ports 6697, 7000
+and 7070 for SSL-encrypted connections.
## Accessing freenode Via SSL
For most clients this should be sufficient. If not, you can download the root
certificate from
-[IdenTrust](https://www.identrust.com/certificates/trustid/root-download-x3.html).
+[LetsEncrypt](https://letsencrypt.org/certificates/).
Client SSL certificates are also supported, and may be used for identification
to services. See [this kb article](kb/using/certfp). If you have connected with
restrictions. You can't directly connect to chat.freenode.net via Tor; use
the following hidden service as the server address instead:
+ ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
+
+If you are using an old version of Tor (before 0.3.5) that does not support
+v3 addresses, you should instead use the following address:
+
freenodeok2gncmy.onion
The hidden service requires SASL authentication. In addition, due to the abuse
EXTERNAL. You'll need to generate a client certificate and add that to your
NickServ account. This is documented [in our knowledge base](kb/using/certfp).
-Note that due to the SSL certificates not matching the hidden service, you
-might have to disable the verification in your client. If your client supports
-*key* pinning, you can verify our Tor server's public key fingerprint:
-
- E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D
+Connecting using SASL EXTERNAL requires that you connect using SSL encryption.
You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack
comprehensive documentation for this, but it's a feature in most modern
clients, so please check their docs for instructions for now.
+
+### Verifying Tor TLS connections
+
+**A Tor hidden service name securely identifies the service you are connecting to. Verifying the TLS server certificate is strickly-speaking unnecessary while using the hidden service.** Nonetheless the following methods can be used to verify the hidden service's TLS server certificate.
+
+The best way to ensure the TLS server-side certificate successfully validates is to add the following fragment to your `torrc` configuration file and configure your client to connect to `zettel.freenode.net`. The TLS server certificate used by the hidden service will validate using this hostname.
+
+ # torrc snippet:
+ MapAddress zettel.freenode.net ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
+
+Older clients that don't support SOCKS4a or later will need to use `MapAddress` with an IP address, and the certificate will not validate successfully. In this case validation will need to be disabled.
+
+Note that the hidden service's certificate changes periodically as it is updated. This means that the *certificate fingerprint* can not be reliably pinned. A few clients support *public key pinning*, however. For these clients the following *public key fingerprint* can be pinned:
+
+ # sha256 public key fingerprint
+ E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D