Difference between revisions of "CertFP"
m (Replaced 'Key F7' template with generic 'Key Txt'.) |
m (Minor refinements.) |
||
Line 15: | Line 15: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- valign="top" | |- valign="top" | ||
! width="49%" | Windows | ! width="49%" | Windows | ||
! width="49%" | Linux | ! width="49%" | Linux | ||
|- valign="top" | |- valign="top" | ||
| | | | ||
; ''Notes:'' | ; ''Notes:'' | ||
Line 27: | Line 26: | ||
* The default installation folder should be fine. | * The default installation folder should be fine. | ||
* For this exercise, '''Copy OpenSSL DLLs to: The OpenSSL binaries (/bin) directory''' is good enough. Select otherwise if you'd like for these encryption libraries to be available to other software. | * For this exercise, '''Copy OpenSSL DLLs to: The OpenSSL binaries (/bin) directory''' is good enough. Select otherwise if you'd like for these encryption libraries to be available to other software; e.g., some IRC clients. | ||
| Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to https://www.openssl.org/ and install it. | | Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to https://www.openssl.org/ and install it. | ||
|} | |} | ||
Line 48: | Line 47: | ||
* You should now see a prompt that looks like <code>OpenSSL></code> | * You should now see a prompt that looks like <code>OpenSSL></code> | ||
* Type in <code>req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> and hit enter. --> | * Type in <code>req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> and hit enter. --> | ||
# Start menu → OpenSSL → Win64 OpenSSL Command Prompt | |||
# Type in <code>openssl</code> and press {{Key Enter}} . The prompt should change now into <code>OpenSSL></code> | |||
# Type in <code>req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> and press {{Key Enter}} | |||
|<code>openssl req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> | |<code>openssl req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer</code> | ||
|} | |} | ||
Line 68: | Line 67: | ||
By now, two files have been generated; which you will need to combine together as follows: | By now, two files have been generated; which you will need to combine together as follows: | ||
Line 89: | Line 87: | ||
===KVIrc=== | ===KVIrc=== | ||
Move the Rizon.pem file to a safe place. | Move the <big><kbd>Rizon.pem</kbd></big> file to a safe place. | ||
* Go to '''Settings''' → '''Configure KVIrc''' | * Go to '''Settings''' → '''Configure KVIrc''' | ||
* Go to '''Connection''' → '''Advanced''' | * Go to '''Connection''' → '''Advanced''' | ||
* On the tab '''SSL''' check '''Use SSL certificate''' and '''Use SSL private key''' and point both to the Rizon.pem file you created. | * On the tab '''SSL''' check '''Use SSL certificate''' and '''Use SSL private key''' and point both to the <big><kbd>Rizon.pem</kbd></big> file you created. | ||
* Change your connection settings and enable the SSL option. | * Change your connection settings and enable the SSL option. | ||
===mIRC=== | ===mIRC=== | ||
Move the Rizon.pem file to a safe place. Make sure | Move the <big><kbd>Rizon.pem</kbd></big> file to a safe place. Make sure SSL is enabled in your mIRC by typing <code>//echo -a $sslready</code> which should return <big><kbd>$true</kbd></big>. If not, then go here https://www.mirc.com/ssl.html | ||
* Go to '''Tools''' → '''Options''' → '''Connect''' → '''Options''' | * Go to '''Tools''' → '''Options''' → '''Connect''' → '''Options''' | ||
* Press the {{Button|text=SSL...}} button | * Press the {{Button|text=SSL...}} button. | ||
* Click on the empty box below '''Private key file:''', navigate to where you placed your Rizon.pem and select it. | *: If there isn't one, then upgrade your mIRC to [https://www.mirc.co.uk/ the latest version]. Otherwise, follow the [[CertFP#Creating the certificate|OpenSSL installation steps]] properly, noting the second Notes bullet point. | ||
* Click on the empty box below '''Private key file:''', navigate to where you placed your <big><kbd>Rizon.pem</kbd></big> and select it. | |||
* Do the same for '''Certificate chain file:''' | * Do the same for '''Certificate chain file:''' | ||
* Press {{Button|OK}}, and (re)connect. | |||
* Finally, to check whether you are connected with SSL, <code>//echo -a $ssl</code> should return <big><kbd>$true</kbd></big>. | |||
===XChat=== | ===XChat=== | ||
XChat uses the <big><kbd>.pem</kbd></big> file that corresponds with the name of the network under '''Network list'''. If <big><kbd>irc.rizon.net</kbd></big> is named under Rizon, then all you have to do is move the <big><kbd>Rizon.pem</kbd></big> file to <code>~/.xchat2/Rizon.pem</code> or <code>C:\Users\xxx\AppData\Roaming\X-Chat 2</code>. If it's not named '''Rizon''', then you will have to either rename the <big><kbd>.pem</kbd></big> file, or rename the network that <big><kbd>irc.rizon.net</kbd></big> is listed under, so they match each other. Once you are done with that: | XChat uses the <big><kbd>.pem</kbd></big> file that corresponds with the name of the network under '''Network list'''. If <big><kbd>irc.rizon.net</kbd></big> is named under '''Rizon''', then all you have to do is move the <big><kbd>Rizon.pem</kbd></big> file to <code>~/.xchat2/Rizon.pem</code> or <code>C:\Users\xxx\AppData\Roaming\X-Chat 2</code>. If it's not named '''Rizon''', then you will have to either rename the <big><kbd>.pem</kbd></big> file, or rename the network that <big><kbd>irc.rizon.net</kbd></big> is listed under, so they match each other. Once you are done with that: | ||
* Go to '''XChat''' → '''Network List''' | * Go to '''XChat''' → '''Network List''' | ||
* In the '''Networks''' list, find '''Rizon''' and press {{Button|Edit...}} | * In the '''Networks''' list, find '''Rizon''' and press {{Button|Edit...}} | ||
Line 113: | Line 114: | ||
===HexChat=== | ===HexChat=== | ||
HexChat uses the <big><kbd>.pem</kbd></big> file that corresponds with the name of the network under '''Network list'''. If <big><kbd>irc.rizon.net</kbd></big> is named under '''Rizon''', then all you have to do is move the <big><kbd>Rizon.pem</kbd></big> file to <code>~/.config/hexchat/certs/Rizon.pem</code> or <code>C:\Users\xxx\AppData\Roaming\hexchat\certs</code>. If it's not named | HexChat uses the <big><kbd>.pem</kbd></big> file that corresponds with the name of the network under '''Network list'''. If <big><kbd>irc.rizon.net</kbd></big> is named under '''Rizon''', then all you have to do is move the <big><kbd>Rizon.pem</kbd></big> file to <code>~/.config/hexchat/certs/Rizon.pem</code> or <code>C:\Users\xxx\AppData\Roaming\hexchat\certs</code>. If it's not named '''Rizon''', then you will have to either rename the <big><kbd>.pem</kbd></big> file, or rename the network that <big><kbd>irc.rizon.net</kbd></big> is listed under, so they match each other. Once you are done with that: | ||
* Go to '''HexChat''' → '''Network List''' | * Go to '''HexChat''' → '''Network List''' | ||
* In the '''Networks''' list, find '''Rizon''' and press {{Button|Edit...}} | * In the '''Networks''' list, find '''Rizon''' and press {{Button|Edit...}} | ||
Line 123: | Line 124: | ||
* Quit WeeChat | * Quit WeeChat | ||
* Move <big><kbd>Rizon.pem</kbd></big> to <code>~/.weechat/ssl/Rizon.pem</code> | * Move <big><kbd>Rizon.pem</kbd></big> to <code>~/.weechat/ssl/Rizon.pem</code> | ||
* | * Open <code>~/.weechat/irc.conf</code> | ||
* Make the following options look like this: | * Make the following options look like this: | ||
<pre># changing the port to 6697 or 9999 is what matters | <pre># changing the port to 6697 or 9999 is what matters | ||
Line 139: | Line 140: | ||
* Ensure the [https://wiki.znc.in/Cert Cert module] is loaded ([https://wiki.znc.in/Cert cert] '''not''' [https://wiki.znc.in/Certauth certauth]). | * Ensure the [https://wiki.znc.in/Cert Cert module] is loaded ([https://wiki.znc.in/Cert cert] '''not''' [https://wiki.znc.in/Certauth certauth]). | ||
* To add your certificate/pem file, either: | * To add your certificate/pem file, either: | ||
** Copy and | ** Copy and paste the contents of the <big><kbd>*.pem</kbd></big> file into the *certauth web interface at | ||
**: <kbd>http<nowiki><s></nowiki>://<url>:<port>/mods/network/<rizon net name>/cert/</kbd> | **: <kbd>http<nowiki><s></nowiki>://<url>:<port>/mods/network/<rizon net name>/cert/</kbd> | ||
: or | *: or | ||
** If you are using [https://wiki.znc.in/Cert cert] as a '''user''' module, move your certificate to <code>~/.znc/users/<user>/moddata/cert/user.pem</code> | |||
** If you are using [https://wiki.znc.in/Cert cert] as a '''network''' module, move your certificate to <code>~/.znc/users/<user>/networks/<rizon net name>/moddata/cert/user.pem</code> | |||
===Quassel=== | ===Quassel=== | ||
Line 152: | Line 153: | ||
You can check to make sure this is setup correctly by typing <code>/msg *cert info</code>. If you get back '''You have a certificate in:''' <code><path></code> then you're done. You can now use <code>/msg *status connect</code> to reconnect using cert. | You can check to make sure this is setup correctly by typing <code>/msg *cert info</code>. If you get back '''You have a certificate in:''' <code><path></code> then you're done. You can now use <code>/msg *status connect</code> to reconnect using cert. | ||
If you have configured everything correctly, you should see the following when you connect to Rizon: | |||
*** Connected securely via TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384-256 | |||
*** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |||
Welcome to the Rizon Internet Relay Chat Network Rebel_n00b | |||
==Add the certificate fingerprint to NickServ== | ==Add the certificate fingerprint to NickServ== |
Revision as of 08:15, 8 September 2020
Introduction
This page describes how to connect, and identify yourself to services securely via a certificate fingerprint.
A major advantage of using a CertFP to authenticate is that you don't have to use /msg NickServ IDENTIFY
anymore.
By using SSL you are also encrypting the connection between you and the server.
Creating the certificate
OpenSSL
We will be using OpenSSL to create the certificate. If you haven't already, please install OpenSSL using these instructions:
Windows | Linux |
---|---|
|
Most distributions come with OpenSSL or have the OpenSSL package in their repositories. If they don't, please go to https://www.openssl.org/ and install it. |
Generating a .pem
To generate the required .pem file, you will need to create a key and a certificate first:
Windows | Linux |
---|---|
|
openssl req -nodes -newkey rsa:4096 -keyout Rizon.key -x509 -days 365 -out Rizon.cer
|
Assuming your commands were entered successfully, you will be asked some questions. Fill them in similarly to what is shown below:
Country Name (2 letter code) [US]:US State or Province Name (full name) [Texas]:Michigan Locality Name (eg, city) [San Antonio]:Grand Rapids Organization Name (eg, company) [Stealth3]: Rizon Organizational Unit Name (eg, section) [ISP]: IRC Common Name (eg, YOUR name) []:Rebel_n00b Email Address []:rebel@rizon.net
By now, two files have been generated; which you will need to combine together as follows:
Windows | Linux |
---|---|
|
cat Rizon.cer Rizon.key > Rizon.pem
|
Configuring your client
This section varies highly from client to client.
KVIrc
Move the Rizon.pem file to a safe place.
- Go to Settings → Configure KVIrc
- Go to Connection → Advanced
- On the tab SSL check Use SSL certificate and Use SSL private key and point both to the Rizon.pem file you created.
- Change your connection settings and enable the SSL option.
mIRC
Move the Rizon.pem file to a safe place. Make sure SSL is enabled in your mIRC by typing //echo -a $sslready
which should return $true. If not, then go here https://www.mirc.com/ssl.html
- Go to Tools → Options → Connect → Options
- Press the SSL... button.
- If there isn't one, then upgrade your mIRC to the latest version. Otherwise, follow the OpenSSL installation steps properly, noting the second Notes bullet point.
- Click on the empty box below Private key file:, navigate to where you placed your Rizon.pem and select it.
- Do the same for Certificate chain file:
- Press OK, and (re)connect.
- Finally, to check whether you are connected with SSL,
//echo -a $ssl
should return $true.
XChat
XChat uses the .pem file that corresponds with the name of the network under Network list. If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to ~/.xchat2/Rizon.pem
or C:\Users\xxx\AppData\Roaming\X-Chat 2
. If it's not named Rizon, then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:
- Go to XChat → Network List
- In the Networks list, find Rizon and press Edit...
- Select the box Use SSL for all the servers on this network.
- Press Close and then press Connect
HexChat
HexChat uses the .pem file that corresponds with the name of the network under Network list. If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to ~/.config/hexchat/certs/Rizon.pem
or C:\Users\xxx\AppData\Roaming\hexchat\certs
. If it's not named Rizon, then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listed under, so they match each other. Once you are done with that:
- Go to HexChat → Network List
- In the Networks list, find Rizon and press Edit...
- Select the box Use SSL for all the servers on this network.
- Press Close and then press Connect
WeeChat
- Quit WeeChat
- Move Rizon.pem to
~/.weechat/ssl/Rizon.pem
- Open
~/.weechat/irc.conf
- Make the following options look like this:
# changing the port to 6697 or 9999 is what matters rizon.addresses = "irc.rizon.net/6697" rizon.ssl = on rizon.ssl_cert = "%h/ssl/Rizon.pem" # 2048 is the default anyway... *shrugs* rizon.ssl_dhkey_size = 2048
Irssi
- Move the cert to
~/.irssi/certs/Rizon.pem
- Use the command
/server add -ssl -ssl_cert ~/.irssi/certs/Rizon.pem -network Rizon irc.rizon.net 6697
ZNC
- Ensure the Cert module is loaded (cert not certauth).
- To add your certificate/pem file, either:
- Copy and paste the contents of the *.pem file into the *certauth web interface at
- http<s>://<url>:<port>/mods/network/<rizon net name>/cert/
- or
- Copy and paste the contents of the *.pem file into the *certauth web interface at
Quassel
- Go to Quassel and click Settings → Configure Quassel (or press F7).
- Click Identities in the left-hand sidebar, and choose the identity you wish to associate your certificate with.
- In the Advanced tab, under the Use SSL Certificate section, load the Rizon.pem file you created.
You can check to make sure this is setup correctly by typing /msg *cert info
. If you get back You have a certificate in: <path>
then you're done. You can now use /msg *status connect
to reconnect using cert.
If you have configured everything correctly, you should see the following when you connect to Rizon:
*** Connected securely via TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384-256 *** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Welcome to the Rizon Internet Relay Chat Network Rebel_n00b
Add the certificate fingerprint to NickServ
First, identify yourself through services with /msg NickServ IDENTIFY password
.
Next, just copy and paste this line /msg NickServ ACCESS ADD FINGERPRINT
Disable whatever auto-authentication you had with NickServ before you saw this tutorial, and reconnect. If it worked, you will be identified by services automatically via the fingerprint.
If you have any questions, feel free to join #ssl or #help and ask.