X-Git-Url: https://jfr.im/git/irc/freenode/web-7.0.git/blobdiff_plain/c3260969ab760abd6ded892309829c4682f9ad3a..b44d1345f8d33c1627ad263fb7831450a710823b:/content/kb/using/certfp.md?ds=sidebyside diff --git a/content/kb/using/certfp.md b/content/kb/using/certfp.md index 8032c0816..1fafe6dac 100644 --- a/content/kb/using/certfp.md +++ b/content/kb/using/certfp.md @@ -6,6 +6,8 @@ Slug: certfp As an alternative to password-based authentication, you can connect to freenode with a TLS certificate and have services recognise it automatically. +For SASL EXTERNAL to work, you must connect over SSL. + Creating a self-signed certificate ================================== @@ -14,7 +16,7 @@ you are using Windows and do not have a copy, you might consider using Cygwin. You can generate a certificate with the following command: - openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -out freenode.pem -keyout freenode.pem + openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem You will be prompted for various pieces of information about the certificate. The contents do not matter for our purposes, but `openssl` needs at least one of @@ -58,7 +60,7 @@ weechat Move the certificates you created above to ~/.weechat/certs mkdir ~/.weechat/certs - mv nick.pem ~/.weechat/certs + mv freenode.pem ~/.weechat/certs Now disconnect and remove the current freenode server(s). Re-add it with the SSL flag, using your newly generated certificate. Note that these commands are @@ -67,7 +69,7 @@ just examples, you have to adapt them to your current servers. /set irc.server.freenode.addresses chat.freenode.net/6697 /set irc.server.freenode.ssl on /set irc.server.freenode.ssl_verify on - /set irc.server.freenode.ssl_cert %h/certs/nick.pem + /set irc.server.freenode.ssl_cert %h/certs/freenode.pem /set irc.server.freenode.sasl_mechanism external and then reconnect to freenode. @@ -77,6 +79,35 @@ znc Refer to znc's [official documentation](http://wiki.znc.in/Cert). +HexChat +------- + +Place the .pem file in `certs/client.pem` in the HexChat config +directory (`~/.config/hexchat/` or `%appdata%\HexChat`). Note +that the `certs` directory does not exist by default and you will have to +create it yourself. Once the file is there, all subsequent SSL connections +will use the certificate. + +If you connect to multiple IRC networks, you should keep in mind that using the +filename `certs/client.pem` will send the same certificate to all networks. If +you prefer per-network certificates, use the name of the network exactly +as it appears in the network list (Ctrl-S), including capitalisation and +punctuation (e.g. `certs/freenode.pem` or `certs/Example Server.pem`). + +Konversation +------------ + +Create the .pem file as per above, then place it wherever you want. +Start Konversation, then open the Identity dialogue by either pressing F8 +or via the Settings menu entry. Choose the identity you use for the +freenode network or create a new one. +In the part `Auto Identity` you have to choose `SASL External (Cert)` +as the `Type` for SASL External or `SSL CLient Certificate` for CertFP. +SASL External requires at least version 1.7 of Konversation. +Optionally fill in your account name in the `Account`field. +You can then choose the certificate you created with the file picker +or enter the path manually in the field next to it. +Once done, apply the configuration and (re)connect to freenode. Add your fingerprint to NickServ ================================