Friday, 6 April 2012

identifying to the freenode testnet with certfp


freenode will be upgrading their services very soon. One of the major new features that this upgrade will bring is the ability to identify using ssl certificates. Here's a very quick guide on how to get started.

I used atoponce's guide for oftc when writing this up.

You can connect to freenode using ssl without using certfp to identify.

Generating your own certificate

You will need openssl installed. Check your operating systems documentation for this. Once done, the following commands will create a certificate and set sensible permissions:
mkdir -p ~/.irssi/certs
cd .irssi/certs/
openssl req -nodes -newkey rsa:2048 -keyout mynick.key -x509 -days 365 -out mynick.crt
cat mynick.crt mynick.key > mynick.pem
chmod 0400 mynick.key mynick.pem

Needless to say, don't give anyone these files!

Connecting with SSL

The testnet is available at irc://testnet.freenode.net:9003 on ssl so make sure you are connecting to that!

After starting irssi, that means something like:
/network add freenodetest
/server add -auto -ssl -ssl_cert ~/.irssi/certs/mynick.pem -network freenodetest testnet.freenode.net 9003
/save
/connect freenodetest

Or if modifying an existing server config:
use_ssl = "yes";
ssl_verify = "no";
ssl_cert = " ~/.irssi/certs/mynick.pem ";

Once you launch irssi, you should see that you are given usermode +Z:
13:41:49 -!- Mode change [+Z] for user Pricey


If you /whois yourself, you should also see your certificate fingerprint:
14:04:43 -!- Pricey [~pricey@76.10.213.24]
14:04:43 -!- ircname : pricechilde
14:04:43 -!- server : barjavel.freenode.net [Paris, FR]
14:04:43 -!- : is using a secure connection
14:04:43 -!- : has client certificate fingerprint aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000
14:04:43 -!- hostname : 76.10.213.24 76.10.213.24
14:04:43 -!- idle : 0 days 0 hours 0 mins 3 secs [signon: Fri Apr 6 14:04:40 2012]
14:04:43 -!- End of WHOIS

If you don't see the fingerprint line, you need to go back and figure out what you've done wrong.

Giving Services your certificate fingerprint

Finally, we need to tell services about our certificate fingerprint. (If you haven't specified your account password as your server password, sasl'd or had a script take care of it, identify first!)
/msg nickserv cert add aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000
(using the fingerprint from your whois.)

One final thing of note is that the testnet is using a self signed certificate. You can not simply use the ssl_capath option to point to your distributions existing ssl certificates. Irssi will warn you that this is the case and not connect.

2 comments:

  1. since the server is self-signed at the moment, leave off the -ssl_verify on the line where you add the server and these instructions will work just fine.

    ReplyDelete
    Replies
    1. Whoops, took that out of the config options but forgot about the in-irssi one apparently. Thanks.

      Delete