identifying to the freenode testnet with certfp
- 396 words
- 2 min
freenode will be upgrading their services very soon. One of the major new features that this upgrade will bring is the ability to identify using ssl certificates. Here's a very quick guide on how to get started.
I used atoponce's guide for oftc when writing this up.
You can connect to freenode using ssl without using certfp to identify.
Generating your own certificate You will need openssl installed. Check your operating systems documentation for this. Once done, the following commands will create a certificate and set sensible permissions:
mkdir -p ~/.irssi/certs cd .irssi/certs/ openssl req -nodes -newkey rsa:2048 -keyout mynick.key -x509 -days 365 -out mynick.crt cat mynick.crt mynick.key > mynick.pem chmod 0400 mynick.key mynick.pem
Needless to say, don't give anyone these files!
Connecting with SSL The testnet is available at irc://testnet.freenode.net:9003 on ssl so make sure you are connecting to that!
After starting irssi, that means something like:
/network add freenodetest /server add -auto -ssl -ssl_cert ~/.irssi/certs/mynick.pem -network freenodetest testnet.freenode.net 9003 /save /connect freenodetest
Or if modifying an existing server config:
use_ssl = "yes"; ssl_verify = "no"; ssl_cert = " ~/.irssi/certs/mynick.pem ";
Once you launch irssi, you should see that you are given usermode +Z:
13:41:49 -!- Mode change [+Z] for user Pricey
If you /whois yourself, you should also see your certificate fingerprint:
14:04:43 -!- Pricey [~firstname.lastname@example.org] 14:04:43 -!- ircname : pricechilde 14:04:43 -!- server : barjavel.freenode.net [Paris, FR] 14:04:43 -!- : is using a secure connection 14:04:43 -!- : has client certificate fingerprint aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000 14:04:43 -!- hostname : 220.127.116.11 18.104.22.168 14:04:43 -!- idle : 0 days 0 hours 0 mins 3 secs [signon: Fri Apr 6 14:04:40 2012] 14:04:43 -!- End of WHOIS
If you don't see the fingerprint line, you need to go back and figure out what you've done wrong.
Giving Services your certificate fingerprint Finally, we need to tell services about our certificate fingerprint. (If you haven't specified your account password as your server password, sasl'd or had a script take care of it, identify first!)
/msg nickserv cert add aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000
(using the fingerprint from your whois.)
One final thing of note is that the testnet is using a self signed certificate. You can not simply use the ssl_capath option to point to your distributions existing ssl certificates. Irssi will warn you that this is the case and not connect.