N CertFP Auth
(Created page with '__NOTOC__This page describes how to use SSL with a client certificate fingerprint to automatically authenticate to your account while connecting to DareNET. == Getting Started =…') |
m (→Benefits) |
||
Line 153: | Line 153: | ||
NOTE: You can use channel mode +Z to allow only users who are connected using SSL to enter your channel. | NOTE: You can use channel mode +Z to allow only users who are connected using SSL to enter your channel. | ||
+ | |||
+ | |||
+ | ''<div align="right"><font color="#cccccc"><small>Adapted from the OFTC network's CertFP guide</small></font></div>'' |
Revision as of 23:23, 24 January 2010
This page describes how to use SSL with a client certificate fingerprint to automatically authenticate to your account while connecting to DareNET.
Getting Started
First, you will need an IRC client that supports SSL with a client certificate. You can check out our Using SSL guide for a list of such clients. You will also need to generate a self-signed certificate if you do not currently already have one (which we'll cover later). For the purpose of this document, we will be using OpenSSL which should be available on most Linux and BSD distributions. There are ports for other platforms, including Windows.
Generate the Key and Certificate
We need to generate our certificate and key. We will be using the openssl
command with the 'req
' option.
% openssl req -nodes -newkey rsa:2048 -keyout yournick.key -x509 -days 365 -out yournick.cer Generating a 2048 bit RSA private key writing new private key to 'yournick.key' ----- Country Name (2 letter code) [US]:YOURCOUNTRYCODE State or Province Name (full name) [Texas]:YOURSTATE Locality Name (eg, city) [San Antonio]:YOURCITY Organization Name (eg, company) [Stealth3]:YOURTEXTHERE Organizational Unit Name (eg, section) [ISP]:IRC Common Name (eg, YOUR name) []:YOUR NAME Email Address []:YOURMAIL@ADDRESS
For the purpose of connecting to DareNET, it does not matter what you fill out for the fields above, so you may do so however you wish. Once completed, you should have two files: they key in yournick.key
and the certificate in yournick.cer
. Now, let's protect your key by using the chmod
command.
% chmod 400 yournick.key
For the curious, let's take a closer look at your certificate. Specifically, we are interested in the certificate fingerprint (CertFP). NOTE: this is not a required step; there are other ways to get the fingerprint.
% openssl x509 -noout -fingerprint -text < yournick.cer
Now, we'll combine the certificate and key into a single file, darenet.pem
. Remember to also protect this file, since it now includes your private key!:
% cat yournick.cer yournick.key > yournick.pem % chmod 400 yournick.pem
Connecting to DareNET with your Certificate
We'll provide instructions for the most common clients used on DareNET. If the client you use is not listed here, feel free to edit this page with a step-by-step howto about it.
mIRC (version 6.14 and later)
If you haven't already configured mIRC to use SSL, please take a look at our Using SSL guide. For the purpose of this document, we'll assume you already have the necessary OpenSSL DLL files and have setup mIRC to use them. Now, to setup mIRC to use your certificate:
- Go to Main Options Menu -> Connect -> Options
- Click on the SSL button (if it isn't there, something is wrong with your OpenSSL installation. See Using SSL).
- Click on the empty box below 'Private Key File', navigate to where you placed your
yournick.pem
file and select it. - Do the same for 'Certificate Chain File'
Now, make sure to connect to DareNET using SSL. To do so, use '/server irc.darenet.org +6697
' - note the plus sign before the port number. This is what lets mIRC know you'd like to connect over SSL. To save this server with the SSL settings, you can simply add the plus sign before the port number in mIRC's server manager.
To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.
irssi
Move the certificates you created to some where safe. For example:
% mkdir ~/.irssi/certs % mv yournick.{key,cer,pem} ~/.irssi/certs
Now, remove the current server and re-add it with the SSL flag, using your newly generated certificate.
NOTE: We use ports 6697 and 9999 for SSL.
/server remove irc.darenet.org /network add DareNET /server add -auto -ssl -ssl_cert ~/.irssi/certs/yournick.pem -ssl_verify -network DareNET irc.darenet.org
Next we need to disconnect and connect back to the server.
NOTE: A /reconnect does not read the new settings we added.
/disconnect DareNET /connect DareNET
To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.
KvIRC
- Go to Settings -> Configure KvIRC
- On the tab 'SSL' check 'Use ssl certificate' and 'Use SSL private key' and point both to the
yournick.pem
file you created. - Change your connection settings and enable the SSL option. Make sure you are using port 6697 or 9999.
To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.
XChat 2.8
This is known to work with XChat 2.8, but not previous versions!
First, you will need to copy the yournick.pem
file to your .xchat2
directory. The filename MUST be <network>.pem. So, in our case this should be DareNET.pem
. On Windows, the directory is usually something like C:\Documents and Settings\(user)\Application Data\X-Chat 2
.
% cp yournick.pem ~/.xchat2/DareNET.pem
Now, start up XChat. We need to tell it to connect via SSL to DareNET.
- Go to XChat menu and select Network list.
- Find DareNET in the list of networks and select edit.
- Check mark 'Use SSL for all the servers on this network' and 'Accept invalid SSL certificate'.
- Click 'Close' and then click 'Connect'.
To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.
Adding your Certificate Fingerprint to NickServ
Now, if you did everything right, you should now be using SSL to connect to DareNET. When connecting to DareNET, you should see lines similar to the following in your status/server window. This will most likely be above the MOTD, so you may have to scroll up a bit to actually see it.
12:00 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits 12:00 !irc.darenet.org Your client certificate fingerprint is: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F
This is letting you know that you are now connected via SSL and that your certificate is working. You can also check your certificate fingerprint by using the FINGERPRINT
command while connected. For example:
/fingerprint YourNick SSL certificate fingerprint: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F
To allow NickServ to automatically authenticate you based on this certificate, you need to associate the certificate fingerprint with your account. To do this issue the ADDCERT command to NickServ (try /msg NickServ HELP ADDCERT). Please note you must be authenticated to NickServ for this command to work.
/msg NickServ ADDCERT 12:05 -NickServ- Certificate fingerprint 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F added.
NickServ will message back saying that your CertFP was added. Now the only thing left to do is reconnect to the server to test it out. NOTE: You must connect using a nickname registered to your account in order for NickServ to automatically authenticate you using your certificate fingerprint; however, you may use the login-on-connect method to get around this requirement (discussed below).
/reconnect 12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting] 12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697 12:10 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits 12:10 !irc.darenet.org Your client certificate fingerprint is: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F ... -NickServ- You are connected using SSL and have provided a matching client certificate -NickServ- for account YourAccount. You have been automatically logged in. -NickServ- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login]. YourAccount.user.darenet is now your hidden host
Congratulations! You now have automatic authentication via SSL and certificate fingerprints!
Using Login-on-Connect with Certificiate Fingerprint
The login-on-connect method allows you to automatically authenticate to NickServ using your certificate fingerprint, but without having to use a nickname that is registered to your account.
To set this up, you use the exact same method as described here. However, you can omit the password portion of the string. For example:
/accountname/
rather than:
/accountname/password
The empty password portion indicates to the server that you would like to use your SSL certificate fingerprint to authenticate.
Benefits
You can now get rid of any NickServ AUTH scripts you have! Since you are authenticated with your certificate fingerprint you don't need them anymore. And, by using SSL your connection to the IRC server is now encrypted. Our servers also use encryption for all server<->server traffic, so if you and those you chat with both use SSL connections, the whole traffic between you and them is encrypted.
NOTE: You can use channel mode +Z to allow only users who are connected using SSL to enter your channel.