From: Christian (Fuchs) Loosli Date: Tue, 20 Sep 2016 10:45:28 +0000 (+0200) Subject: Add Tor and needed NickServ certificate docs X-Git-Url: https://jfr.im/git/irc/freenode/web-7.0.git/commitdiff_plain/6da654fb1a4ef0b0ed2d43c7a544799ee00e6e3d?hp=71afacfdc4b4da144bf4427f7e3f244a3da5e725 Add Tor and needed NickServ certificate docs Fixes #242 and re-adds info needed for CertFP and SASL external --- diff --git a/content/kb/connect/chat.md b/content/kb/connect/chat.md index c0dc904ee..0f3d6b439 100644 --- a/content/kb/connect/chat.md +++ b/content/kb/connect/chat.md @@ -18,5 +18,31 @@ Certificate verification will generally only work when connecting to **`freenode For most clients this should be sufficient. If not, you can download the required intermediate cert from [Gandi](http://crt.gandi.net/GandiStandardSSLCA.crt) and the root cert from [Instant SSL](http://www.instantssl.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt). -Client SSL certificates are also supported, and may be used for identification to services via [CertFP](#XXX). If you have connected with a client certificate, _has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_ (showing +Client SSL certificates are also supported, and may be used for identification to services. See [this kb article](kb/using/nickcerts). If you have connected with a client certificate, _has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195_ (showing your certificate's SHA1 fingerprint in place of _f1ecf46..._) will appear in WHOIS (a 276 numeric). + +## Accessing freenode Via Tor + +freenode is also reachable via [Tor](https://www.torproject.org/), bound to some restrictions. You can't directly connect to chat.freenode.net via Tor +but rather have to use the following hidden service as server address: + + freenodeok2gncmy.onion + +The hidden service requires SASL authentication. In addition, due to +the abuse that led Tor access to be disabled in the past, we have +unfortunately had to add another couple of restrictions: + +- You must log in using SASL's `EXTERNAL` or `ECDSA-NIST256P-CHALLENGE` (more + below) +- If you log out while connected via Tor, you will not be able to log in without + reconnecting. + +If you haven't set up the requisite SASL authentication, we recommend SASL +EXTERNAL. You'll need to generate a client certificate and add that to your +NickServ account. This is documented [in our knowledge base](kb/using/nickcerts). +Note that due to the SSL certificates not matching the hidden service, +you might have to disable the verification in your client. + +You'll then want to tell your client to try the `EXTERNAL` mechanism. We lack +comprehensive documentation for this, but it's a feature in most modern +clients, so please check their docs for instructions for now. diff --git a/content/kb/using/nickcerts.md b/content/kb/using/nickcerts.md new file mode 100644 index 000000000..b82d1d201 --- /dev/null +++ b/content/kb/using/nickcerts.md @@ -0,0 +1,102 @@ +Title: NickServ and certificates +Slug: nickcerts +--- + +You can add a certificate fingerprint to your NickServ account in order to identify via CertFP or via SASL external. +In order to do so, you need an IRC client which supports SSL with a client certificate. + +Creating a self-signed certificate +================================== + +First you need generate a self-signed certificate. We will be using OpenSSL which should be available for most unix-like operating systems and also via ports to other platforms, such as Microsoft Windows. + +To generate a certificate and key, the `openssl` command can be used with the 'req' option. + + openssl req -nodes -newkey rsa:2048 -keyout nick.key -x509 -days 365 -out nick.crt + +Fill out the fields as you wish, it does not matter whether you put in correct address information or not. + + cat nick.crt nick.key > nick.pem + +Note that these files should be placed on secure storage, with correct permissions +(e.g. `chmod 400` for the .key and .pem file on unix like systems) and not given to third parties. +You can also protect your key with a password if your client can handle that. + + +Connecting to freenode with your certificate +============================================ + +How you have to add the certificate depends on your client. +If the one you are using is not listed here yet, please consult your client's documentation. +Documentation for various clients is also available on the website of our friends at +[OFTC](https://www.oftc.net/NickServ/CertFP/), +most of it can be adopted to freenode by just changing the server address. +We are also open to pull requests to add new clients. + +irssi +----- + +Move the certificates you created above to ~/.irssi/certs + + mkdir ~/.irssi/certs + mv nick.{key,crt,pem} ~/.irssi/certs + +Now remove the current freenode server(s) and re-add it with the SSL flag, +using your newly generated certificate. Note that these commands are just examples, +you have to adapt them to your current networks and servers. + + /server remove chat.freenode.net + /network add freenode + /server add -auto -ssl -ssl_cert ~/.irssi/certs/nick.pem -ssl_verify -network freenode chat.freenode.net 6697 + +Also if you plan to use Tor and add the hidden service instead, -ssl_verify has to be omitted as the certificate +won't match the hidden service. + +weechat +------- + +Move the certificates you created above to ~/.weechat/certs + + mkdir ~/.weechat/certs + mv nick.{key,crt,pem} ~/.weechat/certs + +Now disconnect and remove the current freenode server(s). +Re-add it with the SSL flag, using your newly generated certificate. + + /disconnect freenode + /server del freenode + /server add freenode chat.freenode.net/6697 -ssl -ssl_verify -autoconnect + /set irc.server.freenode.ssl_cert %h/certs/nick.pem + +and then reconnect to freenode. + +znc +--- + +znc provides an official documentation in +[their wiki](http://en.znc.in/wiki/Cert) + + +Add your fingerprint to NickServ +================================ + +If you added the certificate to your client you can now connect to freenode. +You can then check whether you have a fingerprint by using `whois` on yourself: + + /whois YourOwnNick + ... + YourOwnNick has client certificate fingerprint f3a1aad46ca88e180c25c9c7021a4b3a + ... + +This means that your certificate is working. + +To allow NickServ to identify you based on this certificate, you need to add the fingerprint to your account. +If you are not identified with NickServ, then do so now. See `/msg nickserv help identify` if needed. + +Afterwards you can add the fingerprint with the `CERT ADD` command: + + /msg NickServ CERT ADD f3a1aad46ca88e180c25c9c7021a4b3a + +Nickserv will message back saying that the fingerprint was added. +You can now use it to identify via CertFP or SASL EXTERNAL. +Please refer to your client documentation on how to do so. diff --git a/content/kb/using/sasl.md b/content/kb/using/sasl.md index e01dd7769..1985ec91f 100644 --- a/content/kb/using/sasl.md +++ b/content/kb/using/sasl.md @@ -23,3 +23,6 @@ We have instructions on how to configure SASL for some client, below. If asked t * [ZNC ](http://wiki.znc.in/Sasl#example) If you know of any additions or corrections to the lists above, or would like to contribute a script or (better) documentation, contact us on IRC. + +Documentation on how to create certificates and add their fingerprints to NickServ for SASL EXTERNAL +can be found in [the article on NickServ and certificates](kb/using/nickcerts).