X-Git-Url: https://jfr.im/git/irc/freenode/web-7.0.git/blobdiff_plain/71afacfdc4b4da144bf4427f7e3f244a3da5e725..6da654fb1a4ef0b0ed2d43c7a544799ee00e6e3d:/content/kb/connect/chat.md diff --git a/content/kb/connect/chat.md b/content/kb/connect/chat.md index c0dc904ee..0f3d6b439 100644 --- a/content/kb/connect/chat.md +++ b/content/kb/connect/chat.md @@ -18,5 +18,31 @@ Certificate verification will generally only work when connecting to **`freenode For most clients this should be sufficient. If not, you can download the required intermediate cert from [Gandi](http://crt.gandi.net/GandiStandardSSLCA.crt) and the root cert from [Instant SSL](http://www.instantssl.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt). -Client SSL certificates are also supported, and may be used for identification to services via [CertFP](#XXX). If you have connected with a client certificate, _has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_ (showing +Client SSL certificates are also supported, and may be used for identification to services. See [this kb article](kb/using/nickcerts). If you have connected with a client certificate, _has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1 fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric). + +## Accessing freenode Via Tor + +freenode is also reachable via [Tor](https://www.torproject.org/), bound to some restrictions. You can't directly connect to chat.freenode.net via Tor +but rather have to use the following hidden service as server address: + + freenodeok2gncmy.onion + +The hidden service requires SASL authentication. In addition, due to +the abuse that led Tor access to be disabled in the past, we have +unfortunately had to add another couple of restrictions: + +- You must log in using SASL's `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more + below) +- If you log out while connected via Tor, you will not be able to log in without + reconnecting. + +If you haven't set up the requisite SASL authentication, we recommend SASL +EXTERNAL. You'll need to generate a client certificate and add that to your +NickServ account. This is documented [in our knowledge base](kb/using/nickcerts). +Note that due to the SSL certificates not matching the hidden service, +you might have to disable the verification in your client. + +You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack +comprehensive documentation for this, but it's a feature in most modern +clients, so please check their docs for instructions for now.