Log in | Back to darenet.org

N CertFP Auth

Admin (Talk | contribs)
(Created page with '__NOTOC__This page describes how to use SSL with a client certificate fingerprint to automatically authenticate to your account while connecting to DareNET. == Getting Started =…')
Newer edit →

Revision as of 23:17, 24 January 2010

This page describes how to use SSL with a client certificate fingerprint to automatically authenticate to your account while connecting to DareNET.

Getting Started

First, you will need an IRC client that supports SSL with a client certificate. You can check out our Using SSL guide for a list of such clients. You will also need to generate a self-signed certificate if you do not currently already have one (which we'll cover later). For the purpose of this document, we will be using OpenSSL which should be available on most Linux and BSD distributions. There are ports for other platforms, including Windows.

Generate the Key and Certificate

We need to generate our certificate and key. We will be using the openssl command with the 'req' option.

% openssl req -nodes -newkey rsa:2048 -keyout yournick.key -x509 -days 365 -out yournick.cer
Generating a 2048 bit RSA private key
writing new private key to 'yournick.key'
-----
Country Name (2 letter code) [US]:YOURCOUNTRYCODE
State or Province Name (full name) [Texas]:YOURSTATE
Locality Name (eg, city) [San Antonio]:YOURCITY
Organization Name (eg, company) [Stealth3]:YOURTEXTHERE
Organizational Unit Name (eg, section) [ISP]:IRC
Common Name (eg, YOUR name) []:YOUR NAME
Email Address []:YOURMAIL@ADDRESS

For the purpose of connecting to DareNET, it does not matter what you fill out for the fields above, so you may do so however you wish. Once completed, you should have two files: they key in yournick.key and the certificate in yournick.cer. Now, let's protect your key by using the chmod command.

% chmod 400 yournick.key

For the curious, let's take a closer look at your certificate. Specifically, we are interested in the certificate fingerprint (CertFP). NOTE: this is not a required step; there are other ways to get the fingerprint.

% openssl x509 -noout -fingerprint -text < yournick.cer

Now, we'll combine the certificate and key into a single file, darenet.pem. Remember to also protect this file, since it now includes your private key!:

% cat yournick.cer yournick.key > yournick.pem
% chmod 400 yournick.pem

Connecting to DareNET with your Certificate

We'll provide instructions for the most common clients used on DareNET. If the client you use is not listed here, feel free to edit this page with a step-by-step howto about it.

mIRC (version 6.14 and later)

If you haven't already configured mIRC to use SSL, please take a look at our Using SSL guide. For the purpose of this document, we'll assume you already have the necessary OpenSSL DLL files and have setup mIRC to use them. Now, to setup mIRC to use your certificate:

  1. Go to Main Options Menu -> Connect -> Options
  2. Click on the SSL button (if it isn't there, something is wrong with your OpenSSL installation. See Using SSL).
  3. Click on the empty box below 'Private Key File', navigate to where you placed your yournick.pem file and select it.
  4. Do the same for 'Certificate Chain File'

Now, make sure to connect to DareNET using SSL. To do so, use '/server irc.darenet.org +6697' - note the plus sign before the port number. This is what lets mIRC know you'd like to connect over SSL. To save this server with the SSL settings, you can simply add the plus sign before the port number in mIRC's server manager.

To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.

irssi

Move the certificates you created to some where safe. For example:

% mkdir ~/.irssi/certs
% mv yournick.{key,cer,pem} ~/.irssi/certs

Now, remove the current server and re-add it with the SSL flag, using your newly generated certificate.

NOTE: We use ports 6697 and 9999 for SSL.

/server remove irc.darenet.org
/network add DareNET
/server add -auto -ssl -ssl_cert ~/.irssi/certs/yournick.pem -ssl_verify -network DareNET irc.darenet.org


Next we need to disconnect and connect back to the server.

NOTE: A /reconnect does not read the new settings we added.

/disconnect DareNET
/connect DareNET

To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.

KvIRC

  1. Go to Settings -> Configure KvIRC
  2. On the tab 'SSL' check 'Use ssl certificate' and 'Use SSL private key' and point both to the yournick.pem file you created.
  3. Change your connection settings and enable the SSL option. Make sure you are using port 6697 or 9999.

To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.

XChat 2.8

This is known to work with XChat 2.8, but not previous versions!

First, you will need to copy the yournick.pem file to your .xchat2 directory. The filename MUST be <network>.pem. So, in our case this should be DareNET.pem. On Windows, the directory is usually something like C:\Documents and Settings\(user)\Application Data\X-Chat 2.

% cp yournick.pem ~/.xchat2/DareNET.pem

Now, start up XChat. We need to tell it to connect via SSL to DareNET.

  1. Go to XChat menu and select Network list.
  2. Find DareNET in the list of networks and select edit.
  3. Check mark 'Use SSL for all the servers on this network' and 'Accept invalid SSL certificate'.
  4. Click 'Close' and then click 'Connect'.

To continue, please scroll down to Adding your Certificate Fingerprint to NickServ.

Adding your Certificate Fingerprint to NickServ

Now, if you did everything right, you should now be using SSL to connect to DareNET. When connecting to DareNET, you should see lines similar to the following in your status/server window. This will most likely be above the MOTD, so you may have to scroll up a bit to actually see it.

12:00 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits
12:00 !irc.darenet.org Your client certificate fingerprint is: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F

This is letting you know that you are now connected via SSL and that your certificate is working. You can also check your certificate fingerprint by using the FINGERPRINT command while connected. For example:

/fingerprint
YourNick SSL certificate fingerprint: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F

To allow NickServ to automatically authenticate you based on this certificate, you need to associate the certificate fingerprint with your account. To do this issue the ADDCERT command to NickServ (try /msg NickServ HELP ADDCERT). Please note you must be authenticated to NickServ for this command to work.

/msg NickServ ADDCERT
12:05 -NickServ- Certificate fingerprint 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F added.

NickServ will message back saying that your CertFP was added. Now the only thing left to do is reconnect to the server to test it out. NOTE: You must connect using a nickname registered to your account in order for NickServ to automatically authenticate you using your certificate fingerprint; however, you may use the login-on-connect method to get around this requirement (discussed below).

/reconnect
12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting]
12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697
12:10 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits
12:10 !irc.darenet.org Your client certificate fingerprint is: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F
...
-NickServ- You are connected using SSL and have provided a matching client certificate
-NickServ- for account YourAccount. You have been automatically logged in.
-NickServ- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login].
YourAccount.user.darenet is now your hidden host

Congratulations! You now have automatic authentication via SSL and certificate fingerprints!

Using Login-on-Connect with Certificiate Fingerprint

The login-on-connect method allows you to automatically authenticate to NickServ using your certificate fingerprint, but without having to use a nickname that is registered to your account.

To set this up, you use the exact same method as described here. However, you can omit the password portion of the string. For example:

/accountname/

rather than:

/accountname/password

The empty password portion indicates to the server that you would like to use your SSL certificate fingerprint to authenticate.

Benefits

You can now get rid of any NickServ AUTH scripts you have! Since you are authenticated with your certificate fingerprint you don't need them anymore. And, by using SSL your connection to the IRC server is now encrypted. Our servers also use encryption for all server<->server traffic, so if you and those you chat with both use SSL connections, the whole traffic between you and them is encrypted.

NOTE: You can use channel mode +Z to allow only users who are connected using SSL to enter your channel.