CertFP

From Rizon Wiki
Jump to: navigation, search

Introduction

This page describes how to connect, and identify yourself to services securely via a certificate fingerprint.

A major advantage of using a CertFP to authenticate is that you don't have to use /msg NickServ IDENTIFY anymore.

By using SSL you are also encrypting the connection between you and the server.

Creating the certificate

OpenSSL

We will be using OpenSSL to create the certificate. If you haven't already, please install OpenSSL using these instructions:

Windows Linux
Go here: http://www.slproweb.com/products/Win32OpenSSL.html. During the time this tutourial was written, windows 7 and "Visual C++ 2008 Redistributables", along with "Win32 OpenSSL v0.9.8l Light", were used. Please note that you should select "The Windows system directory" when it asks you where to copy the dll files to, or it may not work. Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to http://www.openssl.org/ and install it.


Generating a .pem

To generate the required .pem file, you will need to create a key and a certificate first:

Windows Linux
  • Go to Start -> run and type in CMD. This will bring up a prompt.
  • Type in cd C:\OpenSSL\bin and hit enter.
  • Type OpenSSL and hit enter.
  • You should now see a prompt that looks like OpenSSL>
  • Type in req -nodes -newkey rsa:2048 -keyout Rizon.key -x509 -days 365 -out Rizon.cer and hit enter.
openssl req -nodes -newkey rsa:2048 -keyout Rizon.key -x509 -days 365 -out Rizon.cer


Assuming your commands were entered successfully, you will be asked some questions. Fill them in similarly to what is shown below:

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Texas]:Michigan
Locality Name (eg, city) [San Antonio]:Grand Rapids
Organization Name (eg, company) [Stealth3]: Rizon
Organizational Unit Name (eg, section) [ISP]: IRC
Common Name (eg, YOUR name) []:Rebel_n00b
Email Address []:rebel@rizon.net


This will create two files, which you will need to combine together:

Windows Linux
  • Hit Ctrl+C to exit out of the OpenSSL program.
  • Type copy Rizon.cer+Rizon.key Rizon.pem and hit enter.
cat Rizon.cer Rizon.key > Rizon.pem

Configuring your client

This section varies highly from client to client.

KVIrc

Move the Rizon.pem file to a safe place.

  • Go to "Settings -> Configure KVIrc"
  • Go to "Connection -> Advanced"
  • On the Tab "SSL" check "Use SSL certificate" and "Use SSL private key' and point both to the Rizon.pem file you created.
  • Change your connection settings and enable the SSL option.

mIRC

Move the Rizon.pem file to a safe place. Make sure you can connect using ssl. If not, then go here http://www.mirc.com/ssl.html

  • Go to "Main Options Menu -> Connect -> Options"
  • Click on the SSL button, if there isn't one, then you didn't install ssl properly.
  • Click on the empty box below "Private Key File", navigate to where you placed your Rizon.pem and select it.
  • Do the same for "Certificate Chain File"

XChat

XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to ~/.xchat2/Rizon.pem or C:\Users\xxx\AppData\Roaming\X-Chat 2. If it's not named "Rizon", then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:

  • Go to Xchat menu and select "Network List"
  • Find Rizon and select "edit".
  • Select the box "Use SSL for all the servers on this network".
  • Click "Close" and then click "Connect".

HexChat

HexChat uses the pem file that corresponds with the name of the network under "Network list". If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to ~/.config/hexchat/certs/Rizon.pem or C:\Users\xxx\AppData\Roaming\hexchat\certs. If it's not named "Rizon.pem", then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:

  • Go to HexChat menu and select "Network List"
  • Find Rizon and select "edit".
  • Select the box "Use SSL for all the servers on this network".
  • Click "Close" and then click "Connect".

HexChat Documentation

WeeChat

  • quit weechat
  • move Rizon.pem to ~/.weechat/ssl/Rizon.pem
  • open ~/.weechat/irc.conf
  • make the following options look like this:
# changing the port to 6697 or 9999 is what matters
rizon.addresses = "irc.rizon.net/6697"
rizon.ssl = on
rizon.ssl_cert = "%h/ssl/Rizon.pem"
# 2048 is the default anyway... *shrugs*
rizon.ssl_dhkey_size = 2048

irssi

  • Move the cert to ~/.irssi/certs/Rizon.pem
  • Use the command /server add -ssl -ssl_cert ~/.irssi/certs/Rizon.pem -network Rizon irc.rizon.net 6697

ZNC

  • Copy and Paste the contents of the *.pem file into the *certauth web interface at http<s>://<url>:<port>/mods/network/<rizon net name>/cert/

or

  • If you are using cert as a user module, move your certificate to ~/.znc/users/<user>/moddata/cert/user.pem
  • If you are using cert as a network module, move your certificate to ~/.znc/users/<user>/networks/<rizon net name>/moddata/cert/user.pem

Quassel

  • Go to quassel and click 'Settings' -> 'Configure Quassel' (or press F7).
  • Click 'Identities' in the left-hand sidebar and choose the identity you wish to associate your certificate with.
  • In the 'Advanced' tab, under the 'Use SSL Certificate' section, load the Rizon.pem file you created.

You can check to make sure this is setup correctly by typing /msg *cert info. If you get back "You have a certificate in: <path>" then you're done. You can now use /msg *status connect to reconnect using cert.

When you connect to Rizon, you should see something like:

* *** Connected securely via SSLv3 AES256-SHA-256
* *** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* Welcome to the Rizon Internet Relay Chat Network Rebel_n00b

If you see that, that means you have configured everything correctly.

Add the certificate fingerprint to NickServ

First, identify yourself through services with /msg NickServ IDENTIFY password.

Next, just copy and paste this line /msg NickServ ACCESS ADD FINGERPRINT

Disable whatever auto-authentication you had with NickServ before you saw this tutorial, and reconnect. If it worked you will be identified by services automatically via the fingerprint.

If you have any questions, feel free to join #ssl or #help and ask.