Difference between revisions of "CertFP"

From Rizon Wiki
Jump to: navigation, search
(WeeChat: We've had a valid cert for ages)
m (Replaced SSL flags with TLS in Irssi, PR, and cosmetics.)
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
==Introduction==
 
==Introduction==
  
This page describes how to connect, and identify yourself to services securely via a certificate fingerprint.
+
This page describes how to connect, and identify yourself to services securely via a client certificate fingerprint; a.k.a., CertFP.
  
A major advantage of using a CertFP to authenticate is that you don't have to use <code>/msg NickServ IDENTIFY</code> anymore.
+
A major advantage of using a client CertFP to authenticate is that you don't have to use <code>/msg NickServ IDENTIFY</code> any more.
 +
 
 +
By using [[TLS|SSL/TLS]], you are also encrypting the connection between you and the server.
  
By using SSL you are also encrypting the connection between you and the server.
 
  
 
==Creating the certificate==
 
==Creating the certificate==
Line 11: Line 12:
  
 
===OpenSSL===
 
===OpenSSL===
We will be using OpenSSL to create the certificate. If you haven't already, please install OpenSSL using these instructions:
+
We will be using OpenSSL to create the client certificate. If you haven't already, please install OpenSSL using these instructions:
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 18: Line 19:
 
! width="49%" | Linux
 
! width="49%" | Linux
 
|- valign="top"
 
|- valign="top"
| Go here: http://www.slproweb.com/products/Win32OpenSSL.html. During the time this tutourial was written, windows 7 and "[http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF Visual C++ 2008 Redistributables]", along with "[http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8l.exe Win32 OpenSSL v0.9.8l Light]", were used. Please note that you should select "The Windows system directory" when it asks you where to copy the dll files to, or it may not work.
+
|
| Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to http://www.openssl.org/ and install it.
+
; ''Notes:''
 +
* ''At the time of writing this tutorial, Windows 8.1 and 10 with Win64 OpenSSL v1.1.1g Light were used.''
 +
* ''In case of 32-bit files; replace every occurrence of Win64 with Win32.''
 +
<br />
 +
Download and install the latest version of '''[https://slproweb.com/products/Win32OpenSSL.html Win64 OpenSSL v1.1.1 Light]'''.
 +
 
 +
* The default installation folder should be fine.
 +
* For this exercise, '''Copy OpenSSL DLLs to: The OpenSSL binaries (/bin) directory''' is good enough. Select otherwise if you'd like for these encryption libraries to be available to other software; e.g., some IRC clients.
 +
| Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to https://www.openssl.org/ and install it.
 
|}
 
|}
 +
  
  
Line 32: Line 42:
 
|- valign="top"
 
|- valign="top"
 
|
 
|
* Go to Start -> run and type in <code>CMD</code>. This will bring up a prompt.
+
# Start menu → OpenSSL → Win64 OpenSSL Command Prompt
* Type in <code>cd C:\OpenSSL\bin</code> and hit enter.
+
# Type in <code>openssl</code> and&nbsp;press {{Key Enter}} . The&nbsp;prompt should change now into <code>OpenSSL></code>
* Type <code>OpenSSL</code> and hit enter.
+
# Type in <code>req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> and&nbsp;press {{Key Enter}}
* You should now see a prompt that looks like <code>OpenSSL></code>
+
|<code>openssl req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code>
* Type in <code>req -nodes -newkey rsa:2048 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> and hit enter.
 
|<code>openssl req -nodes -newkey rsa:2048 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code>
 
 
|}
 
|}
  
Line 54: Line 62:
  
  
This will create two files, which you will need to combine together:
+
By now, two files have been generated; which you will need to combine together as follows:
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 61: Line 69:
 
! width="49%" | Linux
 
! width="49%" | Linux
 
|- valign="top"
 
|- valign="top"
|
+
| <ol>
* Hit Ctrl+C to exit out of the OpenSSL program.
+
  <li value="4">Type <code>exit</code> to exit out of the OpenSSL program.</li>
* Type <code>copy Rizon.cer+Rizon.key Rizon.pem</code> and hit enter.
+
  <li>Type <code>copy Rizon.cer+Rizon.key Rizon.pem</code> and&nbsp;press {{Key Enter}}</li>
 +
</ol>
 
|<code>cat Rizon.cer Rizon.key > Rizon.pem</code>
 
|<code>cat Rizon.cer Rizon.key > Rizon.pem</code>
 
|}
 
|}
 +
  
 
==Configuring your client==
 
==Configuring your client==
  
This section varies highly from client to client.
+
These guidelines vary highly from client to client.
  
 
===KVIrc===
 
===KVIrc===
  
Move the Rizon.pem file to a safe place.
+
Move the '''<big><kbd>Rizon.pem</kbd></big>''' file to a safe place.
* Go to "Settings -> Configure KVIrc"
+
* Go to '''Settings''' → '''Configure KVIrc'''
* Go to "Connection -> Advanced"
+
* Go to '''Connection''' → '''Advanced'''
* On the Tab "SSL" check "Use SSL certificate" and "Use SSL private key' and point both to the Rizon.pem file you created.
+
* On the tab '''SSL''' check '''Use SSL certificate''' and '''Use SSL private key''' and point both to&nbsp;the&nbsp;'''<big><kbd>Rizon.pem</kbd></big>''' file you created.
 
* Change your connection settings and enable the SSL option.
 
* Change your connection settings and enable the SSL option.
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
  
 
===mIRC===
 
===mIRC===
  
Move the Rizon.pem file to a safe place. Make sure you can connect using ssl. If not, then go here http://www.mirc.com/ssl.html
+
Move the '''<big><kbd>Rizon.pem</kbd></big>''' file to a safe place. Make sure SSL is enabled in your mIRC by typing <code>//echo -a $sslready</code> which should return '''<big><kbd>$true</kbd></big>'''. If not, then go here https://www.mirc.com/ssl.html
* Go to "Main Options Menu -> Connect -> Options"
+
* Go to '''Tools''' → '''Options''' → '''Connect''' → '''Options'''
* Click on the SSL button, if there isn't one, then you didn't install ssl properly.
+
* Press the {{Button|text=SSL...}} button.
* Click on the empty box below "Private Key File", navigate to where you placed your Rizon.pem and select it.
+
*: If there isn't one, then upgrade your mIRC to [https://www.mirc.co.uk/ the latest version]. Otherwise, follow the [[CertFP#Creating the certificate|OpenSSL installation steps]] properly, noting the second Notes bullet point.
* Do the same for "Certificate Chain File"
+
* Click on the empty box below '''Private key file:''', navigate to where you placed your '''<big><kbd>Rizon.pem</kbd></big>''' and select it.
 +
* Do the same for '''Certificate chain file:'''
 +
* Press {{Button|OK}} , (re)connect, and [[CertFP#Add the certificate fingerprint to NickServ|add your client certificate fingerprint to NickServ]].
 +
* Finally, to check whether you are connected with SSL, <code>//echo -a $ssl</code> should return '''<big><kbd>$true</kbd></big>'''.
  
 
===XChat===
 
===XChat===
  
XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to <code>~/.xchat2/Rizon.pem</code> or <code>C:\Users\xxx\AppData\Roaming\X-Chat 2</code>. If it's not named "Rizon", then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:
+
XChat uses the '''<big><kbd>.pem</kbd></big>''' file that corresponds with the name of the network under '''Network list'''. If <big><kbd>irc.rizon.net</kbd></big> is named under '''Rizon''', then all you have to do is move the&nbsp;'''<big><kbd>Rizon.pem</kbd></big>''' file to&nbsp;<code>~/.xchat2/Rizon.pem</code> for Linux/UNIX users, or &nbsp;<code>C:\Users\xxx\AppData\Roaming\X-Chat&nbsp;2</code> for Windows users. If it's not named '''Rizon''', then you will have to either rename the '''<big><kbd>.pem</kbd></big>''' file, or rename the network that <big><kbd>irc.rizon.net</kbd></big> is listed under, so they match each other. Once you are done with that:
* Go to Xchat menu and select "Network List"
+
* Go to '''XChat''' → '''Network List'''
* Find Rizon and select "edit".
+
* In the '''Networks''' list, find '''Rizon''' and press {{Button|Edit...}}
* Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
+
* Select the box '''Use SSL for all the servers on this network'''.
* Click "Close" and then click "Connect".
+
* Press {{Button|Close}} and then press {{Button|Connect}}
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
  
 
===HexChat===
 
===HexChat===
  
HexChat uses the pem file that corresponds with the name of the network under "Network list". If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to <code>~/.config/hexchat/certs/Rizon.pem</code> or <code>C:\Users\xxx\AppData\Roaming\hexchat\certs</code>. If it's not named "Rizon.pem", then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:
+
HexChat uses the '''<big><kbd>.pem</kbd></big>''' file that corresponds with the name of the network under '''Network list'''. If <big><kbd>irc.rizon.net</kbd></big> is named under '''Rizon''', then all you have to do is move the&nbsp; '''<big><kbd>Rizon.pem</kbd></big>''' file to <code>~/.config/hexchat/certs/Rizon.pem</code> for Linux users, or &nbsp;<code>C:\Users\xxx\AppData\Roaming\hexchat\certs</code> for Windows users. If it's not named '''Rizon''', then you will have to either rename the&nbsp;'''<big><kbd>.pem</kbd></big>''' file, or rename the network that <big><kbd>irc.rizon.net</kbd></big> is listed under, so they match each other. Once you are done with that:
* Go to HexChat menu and select "Network List"
+
* Go to '''HexChat''' → '''Network List'''
* Find Rizon and select "edit".
+
* In the '''Networks''' list, find '''Rizon''' and press {{Button|Edit...}}
* Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
+
* Select the box '''Use SSL for all the servers on this network'''.
* Click "Close" and then click "Connect".
+
* Press {{Button|Close}} and then press {{Button|Connect}}
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
 
[https://hexchat.readthedocs.org/en/latest/tips.html#client-certificates HexChat Documentation]
 
[https://hexchat.readthedocs.org/en/latest/tips.html#client-certificates HexChat Documentation]
  
 
===WeeChat===
 
===WeeChat===
* quit weechat
+
* Quit WeeChat
* move Rizon.pem to <code>~/.weechat/ssl/Rizon.pem</code>
+
* Move '''<big><kbd>Rizon.pem</kbd></big>''' to <code>~/.weechat/ssl/Rizon.pem</code>
* open <code>~/.weechat/irc.conf</code>
+
* Open <code>~/.weechat/irc.conf</code>
* make the following options look like this:
+
* Make the following options look like this:
 
<pre># changing the port to 6697 or 9999 is what matters
 
<pre># changing the port to 6697 or 9999 is what matters
 
rizon.addresses = "irc.rizon.net/6697"
 
rizon.addresses = "irc.rizon.net/6697"
Line 114: Line 130:
 
rizon.ssl_cert = "%h/ssl/Rizon.pem"
 
rizon.ssl_cert = "%h/ssl/Rizon.pem"
 
# 2048 is the default anyway... *shrugs*
 
# 2048 is the default anyway... *shrugs*
rizon.ssl_dhkey_size = 2048
+
rizon.ssl_dhkey_size = 2048</pre>
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
  
===irssi===
+
===Irssi===
* Move the cert to <code>~/.irssi/certs/Rizon.pem</code>
+
* On your shell: move the cert to <code>~/.irssi/certs/Rizon.pem</code>
* Use the command <code>/server add -ssl -ssl_cert ~/.irssi/certs/Rizon.pem -network Rizon irc.rizon.net 6697</code>
+
* In Irssi: use this command <code>/SERVER ADD -tls -tls_cert ~/.irssi/certs/Rizon.pem -network Rizon irc.rizon.net 6697</code>
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
  
 
===ZNC===
 
===ZNC===
* ensure the [http://wiki.znc.in/Cert Cert module] is loaded ([http://wiki.znc.in/Cert cert] not [http://wiki.znc.in/Certauth certauth]).
+
* Ensure the [https://wiki.znc.in/Cert Cert module] is loaded ([https://wiki.znc.in/Cert cert] '''not''' [https://wiki.znc.in/Certauth certauth]).
* To add your certificate/pem file
+
* To add your certificate/pem file, either:
  * Copy and Paste the contents of the *.pem file into the *certauth web interface
+
** Copy and paste the contents of the <big><kbd>*.pem</kbd></big> file into the *certauth web interface at
      at http<nowiki><s></nowiki>://<url>:<port>/mods/network/<rizon net name>/cert/
+
**: '''<kbd>http<nowiki><s></nowiki>://<url>:<port>/mods/network/<rizon net name>/cert/</kbd>'''
  or
+
*: or
  * If you are using [http://wiki.znc.in/Cert cert] as a '''user''' module, move your certificate to <code>~/.znc/users/<user>/moddata/cert/user.pem</code>
+
** If you are using [https://wiki.znc.in/Cert cert] as a '''user''' module, move your certificate to <code>~/.znc/users/<user>/moddata/cert/user.pem</code>
  * If you are using [http://wiki.znc.in/Cert cert] as a '''network''' module, move your certificate to <code>~/.znc/users/<user>/networks/<rizon net name>/moddata/cert/user.pem</code>
+
** If you are using [https://wiki.znc.in/Cert cert] as a '''network''' module, move your certificate to <code>~/.znc/users/<user>/networks/<rizon net name>/moddata/cert/user.pem</code>
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
  
 
===Quassel===
 
===Quassel===
* Go to quassel and click 'Settings' -> 'Configure Quassel' (or press F7).
+
* Go to Quassel and click '''Settings''' → '''Configure Quassel''' (or press {{Key Txt|F7}}).
* Click 'Identities' in the left-hand sidebar and choose the identity you wish to associate your certificate with.
+
* Click '''Identities''' in the left-hand sidebar, and choose the identity you wish to associate your certificate with.
* In the 'Advanced' tab, under the 'Use SSL Certificate' section, load the Rizon.pem file you created.
+
* In the '''Advanced''' tab, under the '''Use SSL Certificate''' section, load the '''<big><kbd>Rizon.pem</kbd></big>''' file you created.
  
You can check to make sure this is setup correctly by typing <code>/msg *cert info</code>. If you get back "You have a certificate in: <code><path></code>" then you're done. You can now use <code>/msg *status connect</code> to reconnect using cert.
+
You can check to make sure this is setup correctly by typing <code>/msg *cert info</code>. If you get back '''You have a certificate in:''' <code><path></code> then you're done. You can now use <code>/msg *status connect</code> to reconnect using cert.
  
When you connect to Rizon, you should see something like:
+
If you have configured everything correctly, you should see the following when you connect to Rizon:
<pre>* *** Connected securely via SSLv3 AES256-SHA-256
+
*** Connected securely via TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384-256
* *** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
*** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
* Welcome to the Rizon Internet Relay Chat Network Rebel_n00b</pre>
+
Welcome to the Rizon Internet Relay Chat Network Rebel_n00b
 +
* [[CertFP#Add the certificate fingerprint to NickServ|Add your client certificate fingerprint to NickServ]].
  
If you see that, that means you have configured everything correctly.
 
  
 
==Add the certificate fingerprint to NickServ==
 
==Add the certificate fingerprint to NickServ==
Line 149: Line 168:
 
Next, just copy and paste this line <code>/msg NickServ ACCESS ADD FINGERPRINT</code>
 
Next, just copy and paste this line <code>/msg NickServ ACCESS ADD FINGERPRINT</code>
  
Disable whatever auto-authentication you had with NickServ before you saw this tutorial, and reconnect. If it worked you will be identified by services automatically via the fingerprint.
+
Disable whatever auto-authentication you had with NickServ before you saw this tutorial, and reconnect. If it worked, you will be identified by services automatically via the fingerprint.
  
 
If you have any questions, feel free to join #ssl or #help and ask.
 
If you have any questions, feel free to join #ssl or #help and ask.

Latest revision as of 17:44, 27 September 2020

Introduction

This page describes how to connect, and identify yourself to services securely via a client certificate fingerprint; a.k.a., CertFP.

A major advantage of using a client CertFP to authenticate is that you don't have to use /msg NickServ IDENTIFY any more.

By using SSL/TLS, you are also encrypting the connection between you and the server.


Creating the certificate

OpenSSL

We will be using OpenSSL to create the client certificate. If you haven't already, please install OpenSSL using these instructions:

Windows Linux
Notes:
  • At the time of writing this tutorial, Windows 8.1 and 10 with Win64 OpenSSL v1.1.1g Light were used.
  • In case of 32-bit files; replace every occurrence of Win64 with Win32.


Download and install the latest version of Win64 OpenSSL v1.1.1 Light.

  • The default installation folder should be fine.
  • For this exercise, Copy OpenSSL DLLs to: The OpenSSL binaries (/bin) directory is good enough. Select otherwise if you'd like for these encryption libraries to be available to other software; e.g., some IRC clients.
Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to https://www.openssl.org/ and install it.


Generating a .pem

To generate the required .pem file, you will need to create a key and a certificate first:

Windows Linux
  1. Start menu → OpenSSL → Win64 OpenSSL Command Prompt
  2. Type in openssl and press  Enter . The prompt should change now into OpenSSL>
  3. Type in req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer and press  Enter
openssl req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer


Assuming your commands were entered successfully, you will be asked some questions. Fill them in similarly to what is shown below:

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Texas]:Michigan
Locality Name (eg, city) [San Antonio]:Grand Rapids
Organization Name (eg, company) [Stealth3]: Rizon
Organizational Unit Name (eg, section) [ISP]: IRC
Common Name (eg, YOUR name) []:Rebel_n00b
Email Address []:rebel@rizon.net


By now, two files have been generated; which you will need to combine together as follows:

Windows Linux
  1. Type exit to exit out of the OpenSSL program.
  2. Type copy Rizon.cer+Rizon.key Rizon.pem and press  Enter
cat Rizon.cer Rizon.key > Rizon.pem


Configuring your client

These guidelines vary highly from client to client.

KVIrc

Move the Rizon.pem file to a safe place.

  • Go to SettingsConfigure KVIrc
  • Go to ConnectionAdvanced
  • On the tab SSL check Use SSL certificate and Use SSL private key and point both to the Rizon.pem file you created.
  • Change your connection settings and enable the SSL option.
  • Add your client certificate fingerprint to NickServ.

mIRC

Move the Rizon.pem file to a safe place. Make sure SSL is enabled in your mIRC by typing //echo -a $sslready which should return $true. If not, then go here https://www.mirc.com/ssl.html

  • Go to ToolsOptionsConnectOptions
  • Press the SSL... button.
    If there isn't one, then upgrade your mIRC to the latest version. Otherwise, follow the OpenSSL installation steps properly, noting the second Notes bullet point.
  • Click on the empty box below Private key file:, navigate to where you placed your Rizon.pem and select it.
  • Do the same for Certificate chain file:
  • Press OK , (re)connect, and add your client certificate fingerprint to NickServ.
  • Finally, to check whether you are connected with SSL, //echo -a $ssl should return $true.

XChat

XChat uses the .pem file that corresponds with the name of the network under Network list. If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to ~/.xchat2/Rizon.pem for Linux/UNIX users, or  C:\Users\xxx\AppData\Roaming\X-Chat 2 for Windows users. If it's not named Rizon, then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:

HexChat

HexChat uses the .pem file that corresponds with the name of the network under Network list. If irc.rizon.net is named under Rizon, then all you have to do is move the  Rizon.pem file to ~/.config/hexchat/certs/Rizon.pem for Linux users, or  C:\Users\xxx\AppData\Roaming\hexchat\certs for Windows users. If it's not named Rizon, then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:

HexChat Documentation

WeeChat

  • Quit WeeChat
  • Move Rizon.pem to ~/.weechat/ssl/Rizon.pem
  • Open ~/.weechat/irc.conf
  • Make the following options look like this:
# changing the port to 6697 or 9999 is what matters
rizon.addresses = "irc.rizon.net/6697"
rizon.ssl = on
rizon.ssl_cert = "%h/ssl/Rizon.pem"
# 2048 is the default anyway... *shrugs*
rizon.ssl_dhkey_size = 2048

Irssi

ZNC

  • Ensure the Cert module is loaded (cert not certauth).
  • To add your certificate/pem file, either:
    • Copy and paste the contents of the *.pem file into the *certauth web interface at
      http<s>://<url>:<port>/mods/network/<rizon net name>/cert/
    or
    • If you are using cert as a user module, move your certificate to ~/.znc/users/<user>/moddata/cert/user.pem
    • If you are using cert as a network module, move your certificate to ~/.znc/users/<user>/networks/<rizon net name>/moddata/cert/user.pem
  • Add your client certificate fingerprint to NickServ.

Quassel

  • Go to Quassel and click SettingsConfigure Quassel (or press F7).
  • Click Identities in the left-hand sidebar, and choose the identity you wish to associate your certificate with.
  • In the Advanced tab, under the Use SSL Certificate section, load the Rizon.pem file you created.

You can check to make sure this is setup correctly by typing /msg *cert info. If you get back You have a certificate in: <path> then you're done. You can now use /msg *status connect to reconnect using cert.

If you have configured everything correctly, you should see the following when you connect to Rizon:

*** Connected securely via TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384-256
*** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Welcome to the Rizon Internet Relay Chat Network Rebel_n00b


Add the certificate fingerprint to NickServ

First, identify yourself through services with /msg NickServ IDENTIFY password.

Next, just copy and paste this line /msg NickServ ACCESS ADD FINGERPRINT

Disable whatever auto-authentication you had with NickServ before you saw this tutorial, and reconnect. If it worked, you will be identified by services automatically via the fingerprint.

If you have any questions, feel free to join #ssl or #help and ask.