identifying to the freenode testnet with certfp

freenode will be upgrading their services very soon. One of the major new features that this upgrade will bring is the ability to identify using ssl certificates. Here's a very quick guide on how to get started.

I used atoponce's guide for oftc when writing this up.

You can connect to freenode using ssl without using certfp to identify.

Generating your own certificate You will need openssl installed. Check your operating systems documentation for this. Once done, the following commands will create a certificate and set sensible permissions:

mkdir -p ~/.irssi/certs
cd .irssi/certs/
openssl req -nodes -newkey rsa:2048 -keyout mynick.key -x509 -days 365 -out mynick.crt
cat mynick.crt mynick.key > mynick.pem
chmod 0400 mynick.key mynick.pem

Needless to say, don't give anyone these files!

Connecting with SSL The testnet is available at irc:// on ssl so make sure you are connecting to that!

After starting irssi, that means something like:

/network add freenodetest
/server add -auto -ssl -ssl_cert ~/.irssi/certs/mynick.pem -network freenodetest 9003
/connect freenodetest

Or if modifying an existing server config:

use_ssl = "yes";
ssl_verify = "no";
ssl_cert = " ~/.irssi/certs/mynick.pem ";

Once you launch irssi, you should see that you are given usermode +Z:

13:41:49 -!- Mode change [+Z] for user Pricey

If you /whois yourself, you should also see your certificate fingerprint:

14:04:43 -!- Pricey [~pricey@]
14:04:43 -!- ircname : pricechilde
14:04:43 -!- server : [Paris, FR]
14:04:43 -!- : is using a secure connection
14:04:43 -!- : has client certificate fingerprint aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000
14:04:43 -!- hostname :
14:04:43 -!- idle : 0 days 0 hours 0 mins 3 secs [signon: Fri Apr 6 14:04:40 2012]
14:04:43 -!- End of WHOIS

If you don't see the fingerprint line, you need to go back and figure out what you've done wrong.

Giving Services your certificate fingerprint Finally, we need to tell services about our certificate fingerprint. (If you haven't specified your account password as your server password, sasl'd or had a script take care of it, identify first!)

/msg nickserv cert add aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000

(using the fingerprint from your whois.)

One final thing of note is that the testnet is using a self signed certificate. You can not simply use the ssl_capath option to point to your distributions existing ssl certificates. Irssi will warn you that this is the case and not connect.