Difference between revisions of "NickServ:CertFP"

From Xertion Wiki
Jump to navigation Jump to search
m
m (Added HexChat Instructions)
(18 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
By using SSL you are also encrypting the connection between you and the server.
 
By using SSL you are also encrypting the connection between you and the server.
  
 +
==Prerequisites==
 +
We will be using OpenSSL to create the certificate. Windows IRC clients will typically include OpenSSL support already, and so usually no additional installation is needed for SSL support on Windows.
 +
===Linux===
 +
Most Linux distributions already come with the OpenSSL binary and libraries either installed by default or available to be installed from a package management system (e.g apt-get, yum, etc). If neither of these is true for you, you will need to go to the official [http://www.openssl.org/ OpenSSL] website, download the sources, and compile it yourself.
  
 +
===Windows===
 +
OpenSSL support on Windows is typically included with more recent versions of such clients like mIRC and HexChat. You no longer need to download and install OpenSSL for Windows so long as you are using either mIRC version 7.36 or better, or HexChat for Windows.
  
 
==Creating the certificate==
 
==Creating the certificate==
 +
Once you have verified you have OpenSSL support on your platform, you will need to create a key and certificate.
  
 
+
===Linux===
===OpenSSL===
+
For Linux platforms, the following command should be sufficient:
We will be using OpenSSL to create the certificate. If you haven't already, please install OpenSSL using these instructions:
 
 
 
====Linux====
 
Most distributions come with OpenSSL. If they don't, please go to http://www.openssl.org/ and install.
 
 
 
====Windows====
 
Download [http://slproweb.com/download/Win32OpenSSL_Light-1_0_1c.exe OpenSSL v1.0.1c], which was current at the time. Along with [http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF Visual C++ 2008 Redistributables]. I'm using Windows 7 so please note that you should select "The Windows system directory" when it asks you where to copy the dll files to, or it may not work.
 
 
 
===Generating a .pem===
 
To generate the required .pem file, you will need to create a key and a certificate first:
 
 
 
====Linux====
 
 
<code>openssl req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer</code>
 
<code>openssl req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer</code>
  
====Windows====
+
===Windows===
* Go to Start
+
For Windows systems:
* Type <code>cmd</code> in the search bar
+
* First, go to [http://slproweb.com/products/Win32OpenSSL.html http://slproweb.com/products/Win32OpenSSL.html] and download the latest OpenSSL '''Light''' installer. Install to the default location, keeping the default options.
* Open Command Prompt
+
* Click the Start button.
* Type in <code>cd C:\OpenSSL-Win32\bin</code> and hit return.
+
* Type <code>cmd</code> in the search bar, and click on Command Prompt.
* Type <code>openssl</code> and hit return.
+
* Type in <code>cd C:\OpenSSL-Win32\bin</code> and press Enter.
* You should now see something along the lines of <code>OpenSSL></code>
+
* Type <code>openssl</code> and press Enter. You should now see an OpenSSL prompt.
* Type in the following <code>req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer</code>
+
* At the prompt, type: <code>req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer</code> and press Enter.
  
 +
Alternatively, you can navigate directly to the Command Prompt if it does not show up when you search for it in the Start Menu - go to Start -> All Programs -> Accessories -> Command Prompt
  
If you receive the following error:
+
NOTE: If you get the error  
<pre>WARNING: can’t open config file: /usr/local/ssl/openssl.cnf</pre>
+
<pre>WARNING: can’t open config file: /usr/local/ssl/openssl.cnf</pre>  
 +
You will need to exit OpenSSL and run the following command in Command Prompt: <code>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg</code>. Do '''NOT''' close the Command Prompt afterwards. After you have executed the command, try generating the key and certificate again.
  
You'll need to close OpenSSL and type in the following and restart OpenSSL:
 
<pre>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg</pre>
 
  
 
+
During certificate generation, you will be asked the following series of questions. Fill these in accordingly - enter your two-letter country code for the country you live in, the state/region/province name you live in + your city. Enter anything you like for organization name and organizational unit name. Use your main IRC nickname for the Common Name field. For Email Address, it does NOT have to be real but SHOULD be in proper email address format of user@domain.tld
After entering the command(s), you will be asked these questions, fill them in like so.
 
  
 
<pre>
 
<pre>
Country Name (2 letter code) [US]:US
+
Country Name (2 letter code) [US]:
State or Province Name (full name) [Texas]:New York
+
State or Province Name (full name) [Texas]:
Locality Name (eg, city) [San Antonio]:Manhattan
+
Locality Name (eg, city) [San Antonio]:
 
Organization Name (eg, company) [Stealth3]: Xertion
 
Organization Name (eg, company) [Stealth3]: Xertion
 
Organizational Unit Name (eg, section) [ISP]: IRC
 
Organizational Unit Name (eg, section) [ISP]: IRC
Common Name (eg, YOUR name) []:Kaishiro
+
Common Name (eg, YOUR name) []:
Email Address []:noreply@xertion.org
+
Email Address []:
 
</pre>
 
</pre>
  
 +
Once this information has been entered, two files will then be created - the key and associated certificate - which will need to be combined together.
  
This will create two files, which you will need to combine together.
+
For Linux, run <code>cat Xertion.cer Xertion.key > Xertion.pem</code>. For Windows, run <code>type Xertion.cer Xertion.key > Xertion.pem</code>
 
 
====Linux====
 
<code>cat Xertion.cer Xertion.key > Xertion.pem</code>
 
 
 
====Windows====
 
<code>type Xertion.cer Xertion.key > Xertion.pem</code>
 
 
 
 
 
  
 +
Congratulations, you now have an SSL certificate!
  
 
==Configuring your client==
 
==Configuring your client==
 
+
Now that you have your SSL certificate, you will need to configure your client to use it. This step will vary greatly from client to client - some well-known clients are covered below. If your client is not included here, check its documentation to see if it supports client SSL certificates and how to set it up to use one.
This section varies highly from client to client.
 
  
 
===KVIrc===
 
===KVIrc===
Line 76: Line 63:
 
Move the Xertion.pem file to a safe place.
 
Move the Xertion.pem file to a safe place.
 
* Go to "Settings -> Configure KVIrc"
 
* Go to "Settings -> Configure KVIrc"
* Go to "Connection -> advanced"
+
* Go to "Connection -> Advanced"
* On the Tab "SSL" check "Use ssl certificate" and "Use SSL private key' and point both to the Xertion.pem file you created.
+
* On the Tab "SSL" check "Use SSL certificate" and "Use SSL private key' and point both to the Xertion.pem file you created.
 
* Change your connection settings and enable the SSL option.
 
* Change your connection settings and enable the SSL option.
  
 
===mIRC===
 
===mIRC===
  
Move the Xertion.pem file to a safe place. Make sure you can connect using ssl. If not, then go here http://www.mirc.com/ssl.html
+
Move the Xertion.pem file to a safe place.
 
* Go to "Main Options Menu -> Connect -> Options"
 
* Go to "Main Options Menu -> Connect -> Options"
* Click on the SSL button, if there isn't one, then you didn't install ssl properly.
+
* Click on the SSL button. (NOTE: If there is no SSL button, then OpenSSL is not installed correctly and you will need to reinstall it properly before continuing)
 
* Click on the empty box below "Private Key File", navigate to where you placed your Xertion.pem and select it.
 
* Click on the empty box below "Private Key File", navigate to where you placed your Xertion.pem and select it.
* Do the same for "Certificate Chain File"
+
* Do the same for "Certificate Chain File".
 +
* Click OK, then click OK again.
  
 
===XChat===
 
===XChat===
  
XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.xertion.org is named under Xertion, then all you have to do is move the Xertion.pem file to <code>~/.xchat2/Xertion.pem</code> or <code>C:\Users\xxx\AppData\Roaming\X-Chat 2</code>. If it's not named "Xertion", then you will have to either rename the .pem file, or rename the network that irc.xertion.org is listen under so they match each other. Once you are done with that:
+
XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.xertion.org is named under Xertion, then all you have to do is move the Xertion.pem file to <code>~/.xchat2/Xertion.pem</code> or <code>C:\Users\xxx\AppData\Roaming\X-Chat 2</code>. If it's not named "Xertion", then you will have to either rename the .pem file, or rename the network that irc.xertion.org is listed under so they match each other. Once you are done with that:
 
* Go to Xchat menu and select "Network List"
 
* Go to Xchat menu and select "Network List"
 
* Find Xertion and select "edit".
 
* Find Xertion and select "edit".
 
* Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
 
* Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
 
* Click "Close" and then click "Connect".
 
* Click "Close" and then click "Connect".
 +
 +
===HexChat===
 +
 +
HexChat uses the pem file that corresponds with the name of the network under "Network list". If irc.xertion.org is named under Xertion, then all you have to do is move the Xertion.pem file to <code>~/.config/hexchat/certs/Xertion.pem</code> or <code>C:\Users\xxx\AppData\Roaming\hexchat\certs</code>. If it's not named "Xertion.pem", then you will have to either rename the .pem file, or rename the network that irc.xertion.org is listed under, so they match each other. Once you are done with that:
 +
* Go to HexChat menu and select "Network List"
 +
* Find Xertion and select "Edit".
 +
* Select the box "Use SSL for all the servers on this network".
 +
* Click "Close" and then click "Connect".
 +
[https://hexchat.readthedocs.org/en/latest/tips.html#client-certificates HexChat Documentation]
 +
 +
Alternatively, if you choose to use the same .pem file for all networks (not recommended!), you can name the .pem file client.pem in the certs directory.
  
 
===WeeChat===
 
===WeeChat===
Move Xertion.pem to ~/.weechat/ssl/Xertion.pem. Create directiory ~/.weechat/ssl beforehand if it doesn't exist
+
Move Xertion.pem to ~/.weechat/ssl/Xertion.pem. Create the directory ~/.weechat/ssl beforehand if it doesn't already exist.
  
Assuming your network is labeled as "Xertion"...
+
The following commands assume your configured IRC network connection is labeled as "Xertion".
  
 
Verify SSL is properly configured:
 
Verify SSL is properly configured:
Line 128: Line 127:
 
===ZNC===
 
===ZNC===
 
* Ensure the [http://wiki.znc.in/Cert Cert module] is loaded.
 
* Ensure the [http://wiki.znc.in/Cert Cert module] is loaded.
* Log in to your web admin panel, and go to the User Modules section and select "Certificate".
+
* Log in to your web admin panel, go to the User Modules section, and select "Certificate".
 
* Copy the contents of the .pem file you created into the edit box and apply the changes.
 
* Copy the contents of the .pem file you created into the edit box and apply the changes.
 
* Reconnect your ZNC to the IRC network.
 
* Reconnect your ZNC to the IRC network.
  
  
When you connect to Xertion, you should see something like:
 
<pre>*** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1" and your SSL fingerprint is xxxxxxxxxxxxxxxxxxxxxxx
 
* Welcome to the Xertion IRC Network Kaishiro</pre>
 
  
If you see that, that means you have configured everything correctly.
+
Now when you connect to Xertion, you should see something like this appear:
 +
<pre>*** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1" and your SSL fingerprint is xxxxxxxxxxxxxxxxxxxxxxx</pre>
 +
 
 +
If you see that message, then everything is configured properly and your client SSL certificate has been read in successfully. You are now ready to add this information to NickServ.
  
 
==Add the certificate fingerprint to NickServ==
 
==Add the certificate fingerprint to NickServ==
 +
Once you are connected with your SSL certificate, you will need to add its fingerprint to NickServ to be able to identify with it. Follow these steps:
 +
* Identify yourself to services with your password: <code>/msg NickServ IDENTIFY <em>password</em></code>
 +
* Then, type (or copy/paste) this command: <code>/msg NickServ CERT ADD</code>. This will automatically add your current SSL certificate fingerprint to NickServ.
  
First, identify yourself through services with <code>/msg NickServ IDENTIFY <em>password</em></code>.
+
You're done! You no longer need any NickServ auto-authentication commands; you can safely disable those now. Keep your NickServ password handy just in case, though. Test it by reconnecting to the network. If everything was done correctly you should now be identified by services automatically using your SSL client certificate fingerprint - look for the following notice from NickServ: <pre>-NickServ- SSL certificate fingerprint accepted - you are now recognized.</pre>
 
 
Next, just copy and paste this line <code>/msg NickServ CERTFP ADD</code>
 
  
Disable whatever auto-authentication you had with NickServ before you saw this tutorial and reconnect. If it worked you will be identified by services automatically via the fingerprint.
 
  
 
If you have any questions, feel free to join [irc://irc.xertion.org/help #help] and ask.
 
If you have any questions, feel free to join [irc://irc.xertion.org/help #help] and ask.

Revision as of 01:13, 3 August 2018

Introduction

This page describes how to connect, and identify yourself to services securely via a certificate fingerprint.

A major advantage of using a CertFP to authenticate is that you don't have to use /msg NickServ IDENTIFY anymore.

By using SSL you are also encrypting the connection between you and the server.

Prerequisites

We will be using OpenSSL to create the certificate. Windows IRC clients will typically include OpenSSL support already, and so usually no additional installation is needed for SSL support on Windows.

Linux

Most Linux distributions already come with the OpenSSL binary and libraries either installed by default or available to be installed from a package management system (e.g apt-get, yum, etc). If neither of these is true for you, you will need to go to the official OpenSSL website, download the sources, and compile it yourself.

Windows

OpenSSL support on Windows is typically included with more recent versions of such clients like mIRC and HexChat. You no longer need to download and install OpenSSL for Windows so long as you are using either mIRC version 7.36 or better, or HexChat for Windows.

Creating the certificate

Once you have verified you have OpenSSL support on your platform, you will need to create a key and certificate.

Linux

For Linux platforms, the following command should be sufficient: openssl req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer

Windows

For Windows systems:

  • First, go to http://slproweb.com/products/Win32OpenSSL.html and download the latest OpenSSL Light installer. Install to the default location, keeping the default options.
  • Click the Start button.
  • Type cmd in the search bar, and click on Command Prompt.
  • Type in cd C:\OpenSSL-Win32\bin and press Enter.
  • Type openssl and press Enter. You should now see an OpenSSL prompt.
  • At the prompt, type: req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer and press Enter.

Alternatively, you can navigate directly to the Command Prompt if it does not show up when you search for it in the Start Menu - go to Start -> All Programs -> Accessories -> Command Prompt

NOTE: If you get the error

WARNING: can’t open config file: /usr/local/ssl/openssl.cnf

You will need to exit OpenSSL and run the following command in Command Prompt: set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg. Do NOT close the Command Prompt afterwards. After you have executed the command, try generating the key and certificate again.


During certificate generation, you will be asked the following series of questions. Fill these in accordingly - enter your two-letter country code for the country you live in, the state/region/province name you live in + your city. Enter anything you like for organization name and organizational unit name. Use your main IRC nickname for the Common Name field. For Email Address, it does NOT have to be real but SHOULD be in proper email address format of user@domain.tld

Country Name (2 letter code) [US]:
State or Province Name (full name) [Texas]:
Locality Name (eg, city) [San Antonio]:
Organization Name (eg, company) [Stealth3]: Xertion
Organizational Unit Name (eg, section) [ISP]: IRC
Common Name (eg, YOUR name) []:
Email Address []:

Once this information has been entered, two files will then be created - the key and associated certificate - which will need to be combined together.

For Linux, run cat Xertion.cer Xertion.key > Xertion.pem. For Windows, run type Xertion.cer Xertion.key > Xertion.pem

Congratulations, you now have an SSL certificate!

Configuring your client

Now that you have your SSL certificate, you will need to configure your client to use it. This step will vary greatly from client to client - some well-known clients are covered below. If your client is not included here, check its documentation to see if it supports client SSL certificates and how to set it up to use one.

KVIrc

Move the Xertion.pem file to a safe place.

  • Go to "Settings -> Configure KVIrc"
  • Go to "Connection -> Advanced"
  • On the Tab "SSL" check "Use SSL certificate" and "Use SSL private key' and point both to the Xertion.pem file you created.
  • Change your connection settings and enable the SSL option.

mIRC

Move the Xertion.pem file to a safe place.

  • Go to "Main Options Menu -> Connect -> Options"
  • Click on the SSL button. (NOTE: If there is no SSL button, then OpenSSL is not installed correctly and you will need to reinstall it properly before continuing)
  • Click on the empty box below "Private Key File", navigate to where you placed your Xertion.pem and select it.
  • Do the same for "Certificate Chain File".
  • Click OK, then click OK again.

XChat

XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.xertion.org is named under Xertion, then all you have to do is move the Xertion.pem file to ~/.xchat2/Xertion.pem or C:\Users\xxx\AppData\Roaming\X-Chat 2. If it's not named "Xertion", then you will have to either rename the .pem file, or rename the network that irc.xertion.org is listed under so they match each other. Once you are done with that:

  • Go to Xchat menu and select "Network List"
  • Find Xertion and select "edit".
  • Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
  • Click "Close" and then click "Connect".

HexChat

HexChat uses the pem file that corresponds with the name of the network under "Network list". If irc.xertion.org is named under Xertion, then all you have to do is move the Xertion.pem file to ~/.config/hexchat/certs/Xertion.pem or C:\Users\xxx\AppData\Roaming\hexchat\certs. If it's not named "Xertion.pem", then you will have to either rename the .pem file, or rename the network that irc.xertion.org is listed under, so they match each other. Once you are done with that:

  • Go to HexChat menu and select "Network List"
  • Find Xertion and select "Edit".
  • Select the box "Use SSL for all the servers on this network".
  • Click "Close" and then click "Connect".

HexChat Documentation

Alternatively, if you choose to use the same .pem file for all networks (not recommended!), you can name the .pem file client.pem in the certs directory.

WeeChat

Move Xertion.pem to ~/.weechat/ssl/Xertion.pem. Create the directory ~/.weechat/ssl beforehand if it doesn't already exist.

The following commands assume your configured IRC network connection is labeled as "Xertion".

Verify SSL is properly configured:

/set irc.server.Xertion.addresses "irc.xertion.org/6697"
/set irc.server.Xertion.ssl on
/set irc.server.Xertion.ssl_dhkey_size 1024
/set irc.server.Xertion.ssl_verify off

Run the following commands for the certificate:

/set irc.server.Xertion.ssl_cert "%h/ssl/Xertion.pem"

If you're using a vhost, you'll most likely also need to set the following options to delay autojoin, so that the vhost can kick in before joining:

/set irc.server.Xertion.command "/mute"
/set irc.server.Xertion.command_delay 1

The above can also be set using the interactive iset perl script.

irssi

  • Move the cert to ~/.irssi/certs/Xertion.pem
  • Use the command /server add -ssl -ssl_cert ~/.irssi/certs/Xertion.pem -network Xertion irc.xertion.org 6697

If you find that irssi does not auto-join channels on connect which want you to be identified before you are joining, add -autosendcmd "wait -xertion 2000" to your irssi network settings. This makes irssi wait 2 seconds before any further action, giving services time to identify you.

Command: /network add -autosendcmd "wait -xertion 2000" Xertion

ZNC

  • Ensure the Cert module is loaded.
  • Log in to your web admin panel, go to the User Modules section, and select "Certificate".
  • Copy the contents of the .pem file you created into the edit box and apply the changes.
  • Reconnect your ZNC to the IRC network.


Now when you connect to Xertion, you should see something like this appear:

*** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1" and your SSL fingerprint is xxxxxxxxxxxxxxxxxxxxxxx

If you see that message, then everything is configured properly and your client SSL certificate has been read in successfully. You are now ready to add this information to NickServ.

Add the certificate fingerprint to NickServ

Once you are connected with your SSL certificate, you will need to add its fingerprint to NickServ to be able to identify with it. Follow these steps:

  • Identify yourself to services with your password: /msg NickServ IDENTIFY password
  • Then, type (or copy/paste) this command: /msg NickServ CERT ADD. This will automatically add your current SSL certificate fingerprint to NickServ.

You're done! You no longer need any NickServ auto-authentication commands; you can safely disable those now. Keep your NickServ password handy just in case, though. Test it by reconnecting to the network. If everything was done correctly you should now be identified by services automatically using your SSL client certificate fingerprint - look for the following notice from NickServ:

-NickServ- SSL certificate fingerprint accepted - you are now recognized.


If you have any questions, feel free to join #help and ask.