N CertFP Auth

This page describes how to use SSL with a client certificate fingerprint to automatically authenticate to your account while connecting to DareNET.

Getting Started
First, you will need an IRC client that supports SSL with a client certificate. You can check out our Using SSL guide for a list of such clients. You will also need to generate a self-signed certificate if you do not currently already have one (which we'll cover later). For the purpose of this document, we will be using OpenSSL which should be available on most Linux and BSD distributions. There are ports for other platforms, including Windows.

Generate the Key and Certificate
We need to generate our certificate and key. We will be using the  command with the ' ' option.

% openssl req -nodes -newkey rsa:2048 -keyout yournick.key -x509 -days 365 -out yournick.cer Generating a 2048 bit RSA private key writing new private key to 'yournick.key' - Country Name (2 letter code) [US]:YOURCOUNTRYCODE State or Province Name (full name) [Texas]:YOURSTATE Locality Name (eg, city) [San Antonio]:YOURCITY Organization Name (eg, company) [Stealth3]:YOURTEXTHERE Organizational Unit Name (eg, section) [ISP]:IRC Common Name (eg, YOUR name) []:YOUR NAME Email Address []:YOURMAIL@ADDRESS

For the purpose of connecting to DareNET, it does not matter what you fill out for the fields above, so you may do so however you wish. Once completed, you should have two files: the key in  and the certificate in. Now, let's protect your key by using the  command.

% chmod 400 yournick.key

For the curious, let's take a closer look at your certificate. Specifically, we are interested in the certificate fingerprint (CertFP). NOTE: this is not a required step; there are other ways to get the fingerprint.

% openssl x509 -noout -fingerprint -text < yournick.cer

Now, we'll combine the certificate and key into a single file,. Remember to also protect this file, since it now includes your private key!:

% cat yournick.cer yournick.key > yournick.pem % chmod 400 yournick.pem

Connecting to DareNET with your Certificate
We'll provide instructions for the most common clients used on DareNET. If the client you use is not listed here, feel free to edit this page with a step-by-step howto about it.

mIRC (version 6.14 and later)
If you haven't already configured mIRC to use SSL, please take a look at our Using SSL guide. For the purpose of this document, we'll assume you already have the necessary OpenSSL DLL files and have setup mIRC to use them. Now, to setup mIRC to use your certificate:


 * 1) Go to Main Options Menu -> Connect -> Options
 * 2) Click on the SSL button (if it isn't there, something is wrong with your OpenSSL installation. See Using SSL).
 * 3) Click on the empty box below 'Private Key File', navigate to where you placed your   file and select it.
 * 4) Do the same for 'Certificate Chain File'

Now, make sure to connect to DareNET using SSL. To do so, use ' ' - note the plus sign before the port number. This is what lets mIRC know you'd like to connect over SSL. To save this server with the SSL settings, you can simply add the plus sign before the port number in mIRC's server manager.

To continue, please scroll down to Adding your Certificate Fingerprint to N.

irssi
Move the certificates you created to some where safe. For example:

% mkdir ~/.irssi/certs % mv yournick.{key,cer,pem} ~/.irssi/certs

Now, remove the current server and re-add it with the SSL flag, using your newly generated certificate.

NOTE: We use ports 6697 and 9999 for SSL.

/server remove irc.darenet.org /network add DareNET /server add -auto -ssl -ssl_cert ~/.irssi/certs/yournick.pem -network DareNET irc.darenet.org

Next we need to disconnect and connect back to the server.

NOTE: A /reconnect does not read the new settings we added.

/disconnect DareNET /connect DareNET

To continue, please scroll down to Adding your Certificate Fingerprint to N.

KvIRC

 * 1) Go to Settings -> Configure KvIRC
 * 2) On the tab 'SSL' check 'Use ssl certificate' and 'Use SSL private key' and point both to the   file you created.
 * 3) Change your connection settings and enable the SSL option. Make sure you are using port 6697 or 9999.

To continue, please scroll down to Adding your Certificate Fingerprint to N.

XChat 2.8
Note: You need to be using X-Chat 2.8.x this will NOT work with previous versions!

First, you will need to copy the  file to your   directory. The filename MUST be .pem. So, in our case this should be. On Windows, the directory is usually something like.

% cp yournick.pem ~/.xchat2/DareNET.pem

Now, start up XChat. We need to tell it to connect via SSL to DareNET.


 * 1) Go to XChat menu and select Network list.
 * 2) Find DareNET in the list of networks and select edit.
 * 3) Make sure your port is set to +6697 or +9999
 * 4) Check mark 'Use SSL for all the servers on this network' and 'Accept invalid SSL certificate'.
 * 5) Click 'Close' and then click 'Connect'.

To continue, please scroll down to Adding your Certificate Fingerprint to N.

Adding your Certificate Fingerprint to N
Now, if you did everything right, you should now be using SSL to connect to DareNET. When connecting to DareNET, you should see lines similar to the following in your status/server window. This will most likely be above the MOTD, so you may have to scroll up a bit to actually see it.

12:00 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits 12:00 !irc.darenet.org Your client certificate fingerprint is: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F

This is letting you know that you are now connected via SSL and that your certificate is working. You can also check your certificate fingerprint by using the  command while connected. For example:

/fingerprint YourNick SSL certificate fingerprint: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F

To allow N to automatically authenticate you based on this certificate, you need to associate the certificate fingerprint with your account. To do this issue the ADDCERT command to N (try /msg N HELP ADDCERT). Please note you must be authenticated to N for this command to work.

/msg N ADDCERT 12:05 -N- Certificate fingerprint 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F added.

N will message back saying that your CertFP was added. Now the only thing left to do is reconnect to the server to test it out. NOTE: You must connect using a nickname registered to your account in order for N to automatically authenticate you using your certificate fingerprint; however, you may use the login-on-connect method to get around this requirement (discussed below).

/reconnect 12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting] 12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697 12:10 !irc.darenet.org Connected securely via TLSv1-AES256-SHA-256bits 12:10 !irc.darenet.org Your client certificate fingerprint is: 83AF6BB77B58A402CD2525D079C23FE81B8A531B643760C60B0B1F321709CC1F ... -N- You are connected using SSL and have provided a matching client certificate -N- for account YourAccount. You have been automatically logged in. -N- Last account login: [TIME] ago at this Host/IP ([HOST]) [0 failed login attempts since last login]. YourAccount.user.darenet is now your hidden host

Congratulations! You now have automatic authentication via SSL and certificate fingerprints!

Using Login-on-Connect with Certificiate Fingerprint
The login-on-connect method allows you to automatically authenticate to N using your certificate fingerprint, but without having to use a nickname that is registered to your account.

To set this up, you use the exact same method as described here. However, you can omit the password portion of the string. For example:

accountname

rather than:

accountname:password

The empty password portion indicates to the server that you would like to use your SSL certificate fingerprint to authenticate.

Benefits
You can now get rid of any N AUTH scripts you have! Since you are authenticated with your certificate fingerprint you don't need them anymore. And, by using SSL your connection to the IRC server is now encrypted. Our servers also use encryption for all server<->server traffic, so if you and those you chat with both use SSL connections, the whole traffic between you and them is encrypted.

NOTE: You can use channel mode +Z to allow only users who are connected using SSL to enter your channel.

  Adapted from the OFTC network's CertFP guide