Difference between revisions of "TLS"

From Rizon Wiki
Jump to navigation Jump to search
(→‎Setting up your client for SSL: Add mIRC screenshot)
m (Replaced SSL term with TLS + updated depreciated client SSL commands and options with TLS counterparts.)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
SSL (Secure Sockets Layer) is a method of encrypting your connections on the Internet, so that your connections are still safe, even if they are being "eavesdropped" on.
TLS (Transport Layer Security), previously known as SSL (Secure Sockets Layer), is a method of encrypting your communications so that other parties cannot tamper with or read your messages.
It is suggested that you connect to Rizon using encryption if possible. Instructions on how to do this are provided for many popular IRC clients below.


Rizon also supports Nickserv identification via SSL certificates. Learn more about this here: [[CertFP]].
==Connecting with TLS==
Typically, your client will have a connection dialogue, which may:
* ask you if you wish to connect with TLS as one of the options;
* allow you to pass a <code>-tls</code>, or <code>-ssl</code>, argument as part of the connect command;
*:Example: <code>/connect {{Xt|-tls}} irc.rizon.net 6697</code>
* or use a <code>+</code> in front of the port number.
*:Example: <code>/server irc.rizon.net {{Xt|+}}6697</code>


==Setting up your client for SSL==
All Rizon servers allow TLS connections on ports '''6697''' and '''9999'''.
 
Note: your client needs to support '''TLS version v1.2 or higher''', an older version is '''not''' supported!
 
OpenSSL added support for TLS v1.2 to version 1.0.1 back in 2012, make sure your client is up to date for the most secure chatting experience.
 
==Setting up your client for SSL/TLS==
You can connect securely to Rizon by setting your client to connect to '''irc.rizon.net''' with either port '''6697''' or port '''9999'''. Client-specific instructions are listed below for your convenience.
You can connect securely to Rizon by setting your client to connect to '''irc.rizon.net''' with either port '''6697''' or port '''9999'''. Client-specific instructions are listed below for your convenience.
<gallery mode="traditional">
<gallery mode="traditional">
Image:Mirc-edit-server.png|thumb|250xp|Example of what your [[SSL#mIRC|mIRC]] settings can look like.
Image:Mirc-edit-server.png|thumb|250xp|Example of what your [[TLS#mIRC|mIRC]] settings can look like.
Image:Hexchat-edit-server.png|thumb|250px|Example of what your [[SSL#HexChat|HexChat]] settings can look like.
Image:Hexchat-edit-server.png|thumb|250px|Example of what your [[TLS#HexChat|HexChat]] settings can look like.
Image:Kvirc-edit-server.png|thumb|250xp|Example of what your [[SSL#KVIrc|KVIrc]] settings can look like.
Image:Kvirc-edit-server.png|thumb|250xp|Example of what your [[TLS#KVIrc|KVIrc]] settings can look like.
</gallery>
</gallery>
===mIRC===
===mIRC===
mIRC's official documentation can be found [http://www.mirc.com/ssl.html here].


The latest versions of mIRC now include OpenSSL by default. You can enable it for Rizon by pressing <code>ALT+O</code> to open the options window, then go to Connect → Servers. Click Edit on the Rizon network, and make sure the ports field is <code>+6697,+9999</code>
* You need at least version 7.24, released 26/05/2012, to be able to connect to Rizon!
* First, verify that SSL/TLS is enabled in your mIRC by typing <code>//echo -a $sslready</code> which should return '''<big><kbd>$true</kbd></big>'''; otherwise, check [https://www.mirc.com/ssl.html mIRC's official documentation].
 
The latest versions of mIRC now include OpenSSL by default. To ''always'' connect to&nbsp;Rizon with&nbsp;SSL:
 
'''mIRC version 7.24 ~ 7.67:'''
# '''Tools''' → '''Options...''' (or press {{Key Txt|Alt}} + {{Key Txt|O}}) to&nbsp;open the&nbsp;'''Options''' dialogue box.
# Go to '''Connect''' '''Servers'''.
# Under '''IRC Servers:''', find and expand '''Rizon''' group, and select one of the connection items of that group; then, press {{Button|Edit}}
# In the '''Ports:''' field, type in <code>+6697,+9999</code>. Then, press {{Button|OK}} and&nbsp;(re)connect.


Alternatively you can connect with SSL manually by typing <code>/server irc.rizon.net +6697</code> or <code>/server -e irc.rizon.net 6697</code>
'''mIRC version ≥ 7.68:'''
# '''Tools''' → '''Options...''' (or press {{Key Txt|Alt}} + {{Key Txt|O}}) to&nbsp;open the&nbsp;'''Options''' dialogue box.
# Go to '''Connect'''
# From the '''Servers''' drop-down menu, select '''Rizon'''. Then, press {{Button|{{Unicode|≡}}|style=font-weight:bold;}} button and select '''Edit'''.
# In the '''Ports:''' field, type in <code>+6697,+9999</code>. Then, press {{Button|OK}} and&nbsp;(re)connect.


===Kiwi IRC===
Alternatively, you can ''temporarily'' connect with TLS by typing <code>/server&nbsp;irc.rizon.net&nbsp;{{Xt|+6697}}</code> or &nbsp;<code>/server&nbsp;{{Xt|-e}}&nbsp;irc.rizon.net&nbsp;{{Xt|6697}}</code>
SSL on KiwiIRC can be used by clicking on the <code>Server & network</code> link in KiwiIRC's client.
 
Allowing the user to select SSL and a separate port.
===KiwiIRC===
# This first step is optional, but crucial to maintain secure connections at all parts.
#: Be sure that you've browsed to KiwiIRC using secure HTTPS; i.e., <code>http{{!xt|s}}://kiwiirc.com/</code>
# Secure connection to Rizon network is pre-set on KiwiIRC (''by the time of updating these guides''). So, directly select '''RIZON''' off KiwiIRC home page, where you get to type in your nick (''and password, if registered with Rizon''), before pressing {{Button|text=Start|padTB=.3em|padLR=1.2em|LGtopcolor=#42B992|LGbtmcolor=#42B992|fgcolor=white|style=font-weight:bold;}}


'''Connect to the client using <code>https://</code> to have all parts secure'''


===Mibbit===
===Mibbit===
SSL can be used via Mibbit by clicking on the "Server" link on the connection dialogue and by using "+6697" as the port.
TLS can be used via Mibbit by clicking on the '''Server''' link on the connection dialogue, and by using '''+6697''' as the port.
 


===QWebIRC===
===QWebIRC===
Rizon's QWebIRC automatically uses SSL when connecting via https.
Rizon's QWebIRC automatically uses TLS when connecting via '''https'''.
 


===IRCCloud===
===IRCCloud===
IRCCloud is using a secure connection by default. You can verify this by editing the network - the checkbox named '''Secure Port''' has to be enabled and the port has to be ''6697'' or ''9999''
IRCCloud is using a secure connection by default. You can verify this by editing the network the checkbox named '''Secure port''' has to be enabled, and the '''Port''' field has to be either ''6697'' or ''9999''
 


===HexChat===
===HexChat===
To ensure that you are connecting via SSL you can ''enable'' the checkbox named '''Use SSL for all the servers on this network''' and ''disable'' the checkbox named '''Accept invalid SSL certificate''' by editing the network details in the network list. Make sure that if HexChat is set to connect to a specific port that it's either '''6697''' or '''9999''', e.g. <code>irc.rizon.net/6697</code>
To ensure that you are connecting via TLS you can ''{{Xt|enable}}'' the checkbox named '''Use SSL for all the servers on this network''', and ''{{!xt|disable}}'' '''Accept invalid SSL certificate''' by editing the network details in the network list. Make sure that, if HexChat is set to connect to a&nbsp;specific port that it's either '''6697''' or '''9999'''; e.g., <code>irc.rizon.net/6697</code>
 


===Irssi===
===Irssi===
To make sure Irssi uses SSL and verifies the authenticity of the certificate you need to enable certificate verification. You can do this by connecting using the <code>-ssl -ssl_verify</code> flags. Users of version Irssi >= 0.8.21 are encouraged to use <code>-tls -tls_verify</code> instead.
To make sure Irssi uses TLS and verifies the authenticity of the certificate, you need to enable certificate verification. You can do this by connecting using the <code>-tls -tls_verify</code> flags for Irssi version 0.8.21. Older Irrsi versions, use <code>-ssl -ssl_verify</code> instead.


===Weechat===
To make sure weechat verifies certificates, you'll need to use the following.


* <code>-ssl_verify</code> on /server and /connect commands
===WeeChat===
* <code>/set irc.server.SERVERNAME.ssl_verify true</code> via /iset or /set
To make sure WeeChat verifies certificates, you'll need to use the following:
* <code>-tls_verify</code> on both '''<big><kbd>/server</kbd></big>''' and '''<big><kbd>/connect</kbd></big>''' commands.
* <code>/set irc.server.<em>ServerName</em>.tls_verify true</code> then force a write of the options with the <code>/save</code> command. WeeChat immediately uses the new value, ''without'' the need to restart it.
 
You'd then use either <code>irc.rizon.net/{{Xt|6697}}</code> or <code>irc.rizon.net/{{Xt|9999}}</code> as the server address.


You'd then use <code>irc.rizon.net/6697</code> or <code>irc.rizon.net/9999</code> as the server address.


===KVIrc===
===KVIrc===
You can pass the '''-s''' flag upon connecting to connect using SSL. The full command will look like this: <code>/server -s irc.rizon.net</code>
You can pass the <code>-s</code> flag upon connecting, in order to connect using TLS. The full command will look like this: <code>/server {{Xt|-s}} irc.rizon.net</code>
 


===ZNC===
===ZNC===
'''Using the webpanel'''
'''Using ZNC webadmin'''


After logging in to the webpanel, go to Your Settings → Networks → Edit.
#After logging in to the [https://wiki.znc.in/FAQ#How_can_I_access_webadmin_with_my_browser.3F webadmin]; a.k.a., webpanel, go to '''Your Settings''' '''Networks''' '''Edit'''.
#Make sure '''Servers of this IRC network''' is set to <code>irc.rizon.net:+6697</code>.
You may need to reconnect your client to activate the new settings. You can do this by typing <code>/znc jump</code> after connecting to your ZNC.


Make sure "Servers of this IRC network" is set to <code>irc.rizon.net:+6697</code>. You may need to reconnect your client to activate the new settings. You can do this by typing <code>/znc jump</code> after connecting to your ZNC.


'''Ensuring both sides are TLS'''


'''Ensuring both sides are SSL'''
The instructions above make sure you are connected to the IRC network using TLS. To be sure that your connection to your ZNC is using TLS as well:
 
# Log in to the [https://wiki.znc.in/FAQ#How_can_I_access_webadmin_with_my_browser.3F webadmin] as administrator
The instructions above make sure you are connected to the IRC network using SSL. To make sure your connection to your ZNC is using SSL as well log in to the webpanel as administrator, go to Global Settings → Listen Port(s), and make sure that the '''SSL''' checkbox is ticked. You can now connect using SSL to your ZNC on that port.
# Go to '''Global Settings''' '''Listen Port(s)''', and make sure that the '''SSL''' checkbox is ticked.
You can now connect using TLS to your ZNC on that port.


<!-- Should probably add more information about other clients (Colloquy, etc.) -->
<!-- Should probably add more information about other clients (Colloquy, etc.) -->


==Connecting with SSL==
Typically, your client will have a connection dialogue which may ask you if you wish to connect with SSL as one of the options, allow you to pass a -ssl argument as part of the connect command, or use a "+" in front of the port number. (i.e. "/server irc.rizon.net +6697", "/connect -ssl irc.rizon.net 6697")
Currently all Rizon servers have SSL support on port 6697 and 9999.


===RizonBNC===
===RizonBNC===
[[RizonBNC]] allows SSL connections via port 12345 only.
[[RizonBNC]] allows TLS connections via port '''12345''' only.




==Verify if SSL is in use==
==Verify if TLS is in use==
When you followed the steps above and still asking yourself if you are connecting with SSL you can use the <code>/whois <em>Nick</em></code> command, where ''Nick'' is your username. An example output can be found here:
When you followed the steps above, and still asking yourself if you are connecting with TLS you can use the <code>/whois <em>Nick</em></code> command, where ''Nick'' is&nbsp;your username. The&nbsp;following is an&nbsp;example output:
<pre>
<pre>
Nick is user@Rizon-ABCDEF.example.com * *
Nick is user@Rizon-ABCDEF.example.com ***
Nick on #Rizon
Nick on #Rizon
Nick using irc.rizon.net - Where are you?
Nick using irc.rizon.net - Where are you?
Line 87: Line 120:
You should see the following line:
You should see the following line:
<pre>Nick is using a secure connection</pre>
<pre>Nick is using a secure connection</pre>
==SSL/TLS-Only Channels==
Channels can be set to only allow users that are connected using a secure connection. This can be enabled by setting the [[Channel_Modes|channel mode +S]].
Users not using a secure connection, that attempt to join the channel, will get an error message like this one:
<pre>#chat Cannot join channel (+S)</pre>
==TLS Certificates in CertFP and SASL==
TLS (client) certificates can be used to automatically identify with NickServ. This is a separate concept than what is discussed in this article. Read more about this on the [[CertFP]] or [[SASL#SASL_EXTERNAL_Client_Configurations|SASL EXTERNAL]] page.

Latest revision as of 13:32, 28 June 2023

TLS (Transport Layer Security), previously known as SSL (Secure Sockets Layer), is a method of encrypting your communications so that other parties cannot tamper with or read your messages. It is suggested that you connect to Rizon using encryption if possible. Instructions on how to do this are provided for many popular IRC clients below.

Connecting with TLS

Typically, your client will have a connection dialogue, which may:

  • ask you if you wish to connect with TLS as one of the options;
  • allow you to pass a -tls, or -ssl, argument as part of the connect command;
    Example: /connect -tls irc.rizon.net 6697
  • or use a + in front of the port number.
    Example: /server irc.rizon.net +6697

All Rizon servers allow TLS connections on ports 6697 and 9999.

Note: your client needs to support TLS version v1.2 or higher, an older version is not supported!

OpenSSL added support for TLS v1.2 to version 1.0.1 back in 2012, make sure your client is up to date for the most secure chatting experience.

Setting up your client for SSL/TLS

You can connect securely to Rizon by setting your client to connect to irc.rizon.net with either port 6697 or port 9999. Client-specific instructions are listed below for your convenience.

mIRC

  • You need at least version 7.24, released 26/05/2012, to be able to connect to Rizon!
  • First, verify that SSL/TLS is enabled in your mIRC by typing //echo -a $sslready which should return $true; otherwise, check mIRC's official documentation.

The latest versions of mIRC now include OpenSSL by default. To always connect to Rizon with SSL:

mIRC version 7.24 ~ 7.67:

  1. ToolsOptions... (or press Alt + O) to open the Options dialogue box.
  2. Go to ConnectServers.
  3. Under IRC Servers:, find and expand Rizon group, and select one of the connection items of that group; then, press Edit
  4. In the Ports: field, type in +6697,+9999. Then, press OK and (re)connect.

mIRC version ≥ 7.68:

  1. ToolsOptions... (or press Alt + O) to open the Options dialogue box.
  2. Go to Connect
  3. From the Servers drop-down menu, select Rizon. Then, press button and select Edit.
  4. In the Ports: field, type in +6697,+9999. Then, press OK and (re)connect.

Alternatively, you can temporarily connect with TLS by typing /server irc.rizon.net +6697 or  /server -e irc.rizon.net 6697

KiwiIRC

  1. This first step is optional, but crucial to maintain secure connections at all parts.
    Be sure that you've browsed to KiwiIRC using secure HTTPS; i.e., https://kiwiirc.com/
  2. Secure connection to Rizon network is pre-set on KiwiIRC (by the time of updating these guides). So, directly select RIZON off KiwiIRC home page, where you get to type in your nick (and password, if registered with Rizon), before pressing Start


Mibbit

TLS can be used via Mibbit by clicking on the Server link on the connection dialogue, and by using +6697 as the port.


QWebIRC

Rizon's QWebIRC automatically uses TLS when connecting via https.


IRCCloud

IRCCloud is using a secure connection by default. You can verify this by editing the network — the checkbox named Secure port has to be enabled, and the Port field has to be either 6697 or 9999


HexChat

To ensure that you are connecting via TLS you can enable the checkbox named Use SSL for all the servers on this network, and disable Accept invalid SSL certificate by editing the network details in the network list. Make sure that, if HexChat is set to connect to a specific port that it's either 6697 or 9999; e.g., irc.rizon.net/6697


Irssi

To make sure Irssi uses TLS and verifies the authenticity of the certificate, you need to enable certificate verification. You can do this by connecting using the -tls -tls_verify flags for Irssi version ≥ 0.8.21. Older Irrsi versions, use -ssl -ssl_verify instead.


WeeChat

To make sure WeeChat verifies certificates, you'll need to use the following:

  • -tls_verify on both /server and /connect commands.
  • /set irc.server.ServerName.tls_verify true then force a write of the options with the /save command. WeeChat immediately uses the new value, without the need to restart it.

You'd then use either irc.rizon.net/6697 or irc.rizon.net/9999 as the server address.


KVIrc

You can pass the -s flag upon connecting, in order to connect using TLS. The full command will look like this: /server -s irc.rizon.net


ZNC

Using ZNC webadmin

  1. After logging in to the webadmin; a.k.a., webpanel, go to Your SettingsNetworksEdit.
  2. Make sure Servers of this IRC network is set to irc.rizon.net:+6697.

You may need to reconnect your client to activate the new settings. You can do this by typing /znc jump after connecting to your ZNC.


Ensuring both sides are TLS

The instructions above make sure you are connected to the IRC network using TLS. To be sure that your connection to your ZNC is using TLS as well:

  1. Log in to the webadmin as administrator
  2. Go to Global SettingsListen Port(s), and make sure that the SSL checkbox is ticked.

You can now connect using TLS to your ZNC on that port.


RizonBNC

RizonBNC allows TLS connections via port 12345 only.


Verify if TLS is in use

When you followed the steps above, and still asking yourself if you are connecting with TLS you can use the /whois Nick command, where Nick is your username. The following is an example output:

Nick is user@Rizon-ABCDEF.example.com ***
Nick on #Rizon
Nick using irc.rizon.net - Where are you?
Nick is using a secure connection
Nick is using modes +ix authflags: [none]
Nick is actually user@xyz.example.com [192.0.2.10]
Nick has been idle 2mins 8secs, signed on Wed Dec 03 03:57:45
Nick End of /WHOIS list.

You should see the following line:

Nick is using a secure connection


SSL/TLS-Only Channels

Channels can be set to only allow users that are connected using a secure connection. This can be enabled by setting the channel mode +S.

Users not using a secure connection, that attempt to join the channel, will get an error message like this one:

#chat Cannot join channel (+S)


TLS Certificates in CertFP and SASL

TLS (client) certificates can be used to automatically identify with NickServ. This is a separate concept than what is discussed in this article. Read more about this on the CertFP or SASL EXTERNAL page.