CertFP
Introduction
This page describes how to connect, and identify yourself to services securely via a certificate fingerprint.
A major advantage of using a CertFP to authenticate is that you don't have to use /msg NickServ IDENTIFY
anymore.
By using SSL you are also encrypting the connection between you and the server.
Creating the certificate
OpenSSL
We will be using OpenSSL to create the certificate. If you haven't already, please install OpenSSL using these instructions:
Windows
Go here: http://www.slproweb.com/products/Win32OpenSSL.html. I am running Windows 7 and installed "Visual C++ 2008 Redistributables", along with "Win32 OpenSSL v0.9.8l Light", which was the latest at the time. Please note that you should select "The Windows system directory" when it asks you where to copy the dll files to, or it may not work.
Linux
Most distributions come with OpenSSL. If they don't, please go to http://www.openssl.org/ and install.
Generating a .pem
To generate the required .pem file, you will need to create a key and a certificate first:
Linux
openssl req -nodes -newkey rsa:2048 -keyout Rizon.key -x509 -days 365 -out Rizon.cer
Windows
- Go to Start -> run and type in
CMD
. This will bring up a prompt. - Type in
cd C:\OpenSSL\bin
and return. - Type
OpenSSL
and hit return. - You should now see something along the lines of
OpenSSL>
- Type in the following
req -nodes -newkey rsa:2048 -keyout Rizon.key -x509 -days 365 -out Rizon.cer
- Hit Ctrl+C to exit out of the program.
After entering the command(s), you will be asked these questions, fill them in like so.
Country Name (2 letter code) [US]:US State or Province Name (full name) [Texas]:Michigan Locality Name (eg, city) [San Antonio]:Grand Rapids Organization Name (eg, company) [Stealth3]: Rizon Organizational Unit Name (eg, section) [ISP]: IRC Common Name (eg, YOUR name) []:Rebel_n00b Email Address []:rebel@rizon.net
This will create two files, which you will need to combine together.
Linux
cat Rizon.cer Rizon.key > Rizon.pem
Windows
type Rizon.cer Rizon.key > Rizon.pem
Configuring your client
This section varies highly from client to client.
KVIrc
Move the Rizon.pem file to a safe place.
- Go to "Settings -> Configure KvIRC"
- Go to "Connection -> advanced"
- On the Tab "SSL" check "Use ssl certificate" and "Use SSL private key' and point both to the Rizon.pem file you created.
- Change your connection settings and enable the ssl option.
mIRC
Move the Rizon.pem file to a safe place. Make sure you can connect using ssl. If not, then go here http://www.mirc.com/ssl.html
- Go to "Main Options Menu -> Connect -> Options"
- Click on the SSL button, if there isn't one, then you didn't install ssl properly.
- Click on the empty box below "Private Key File", navigate to where you placed your Rizon.pem and select it.
- Do the same for "Certificate Chain File"
XChat
XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.rizon.net is named under Rizon, then all you have to do is move the Rizon.pem file to ~/.xchat2/Rizon.pem
or C:\Users\xxx\AppData\Roaming\X-Chat 2
. If it's not named "Rizon", then you will have to either rename the .pem file, or rename the network that irc.rizon.net is listen under. So they match eachother. One you are done with that:
- Go to Xchat menu and select "Network List"
- Find Rizon and select "edit".
- Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
- Click "Close" and then click "Connect".
WeeChat
- quit weechat
- move Rizon.pem to
~/.weechat/ssl/Rizon.pem
- open
~/.weechat/irc.conf
- make the following options look like this:
# changing the port to 6697 or 9999 is what matters rizon.addresses = "irc.rizon.net/6697" rizon.ssl = on rizon.ssl_cert = "%h/ssl/Rizon.pem" # 2048 is the default anyway... *shrugs* rizon.ssl_dhkey_size = 2048 # weechat will refuse to connect if ssl_verify # is on - untrusted certificate issuer or something rizon.ssl_verify = off
irssi
- Move the cert to
~/.irssi/certs/Rizon.pem
- Use the command
/server add -ssl -ssl_cert ~/.irssi/certs/Rizon.pem -network Rizon irc.rizon.net 6697
ZNC
- ensure the Cert module is loaded
- Move your certificate to
~/.znc/users/<user>/moddata/cert/user.pem
When you connect to Rizon, you should see something like:
* *** Connected securely via SSLv3 AES256-SHA-256 * *** Your client certificate fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx * Welcome to the Rizon Internet Relay Chat Network Rebel_n00b
If you see that, that means you have configured everything correctly.
Add the certificate fingerprint to NickServ
First, identify yourself through services with /msg NickServ IDENTIFY password
.
Next, just copy and paste this line /msg NickServ ACCESS ADD FINGERPRINT
Disable whatever auto-authentication you had with NickServ before you saw this tutorial, and reconnect. If it worked you will be identified by services automatically via. the fingerprint.
If you have any questions, feel free to join #ssl or #help and ask.