|
|
Line 1: |
Line 1: |
| ==Introduction==
| | #REDIRECT [[Tutorial:CertFP]] |
| | |
| This page describes how to connect, and identify yourself to services securely via a certificate fingerprint.
| |
| | |
| A major advantage of using a CertFP to authenticate is that you don't have to use <code>/msg NickServ IDENTIFY</code> anymore.
| |
| | |
| By using SSL you are also encrypting the connection between you and the server.
| |
| | |
| | |
| | |
| ==Creating the certificate==
| |
| | |
| | |
| ===OpenSSL===
| |
| We will be using OpenSSL to create the certificate. If you haven't already, please install OpenSSL using these instructions:
| |
| | |
| ====Windows====
| |
| Download [http://slproweb.com/download/Win32OpenSSL_Light-1_0_1c.exe OpenSSL v1.0.1c], which was current at the time. Along with [http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF Visual C++ 2008 Redistributables]. I'm using Windows 7 so please note that you should select "The Windows system directory" when it asks you where to copy the dll files to, or it may not work.
| |
| | |
| ====Linux====
| |
| Most distributions come with OpenSSL. If they don't, please go to http://www.openssl.org/ and install.
| |
| | |
| | |
| | |
| ===Generating a .pem===
| |
| To generate the required .pem file, you will need to create a key and a certificate first:
| |
| | |
| ====Linux====
| |
| <code>openssl req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer</code>
| |
| | |
| ====Windows====
| |
| * Go to Start
| |
| * Type <code>cmd</code> in the search bar
| |
| * Open Command Prompt
| |
| * Type in <code>cd C:\OpenSSL-Win32\bin</code> and hit return.
| |
| * Type <code>openssl</code> and hit return.
| |
| * You should now see something along the lines of <code>OpenSSL></code>
| |
| * Type in the following <code>req -nodes -newkey rsa:2048 -keyout Xertion.key -x509 -days 365 -out Xertion.cer</code>
| |
| | |
| | |
| If you receive the following error:
| |
| <pre>WARNING: can’t open config file: /usr/local/ssl/openssl.cnf</pre>
| |
| | |
| You'll need to close OpenSSL and type in the following and restart OpenSSL:
| |
| <pre>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg</pre>
| |
| | |
| | |
| After entering the command(s), you will be asked these questions, fill them in like so.
| |
| | |
| <pre>
| |
| Country Name (2 letter code) [US]:US
| |
| State or Province Name (full name) [Texas]:New York
| |
| Locality Name (eg, city) [San Antonio]:Manhattan
| |
| Organization Name (eg, company) [Stealth3]: Xertion
| |
| Organizational Unit Name (eg, section) [ISP]: IRC
| |
| Common Name (eg, YOUR name) []:Kaishiro
| |
| Email Address []:noreply@xertion.org
| |
| </pre>
| |
| | |
| | |
| This will create two files, which you will need to combine together.
| |
| | |
| ====Linux====
| |
| <code>cat Xertion.cer Xertion.key > Xertion.pem</code>
| |
| | |
| ====Windows====
| |
| <code>type Xertion.cer Xertion.key > Xertion.pem</code>
| |
| | |
| | |
| | |
| | |
| ==Configuring your client==
| |
| | |
| This section varies highly from client to client.
| |
| | |
| ===KVIrc===
| |
| | |
| Move the Xertion.pem file to a safe place.
| |
| * Go to "Settings -> Configure KVIrc"
| |
| * Go to "Connection -> advanced"
| |
| * On the Tab "SSL" check "Use ssl certificate" and "Use SSL private key' and point both to the Xertion.pem file you created.
| |
| * Change your connection settings and enable the SSL option.
| |
| | |
| ===mIRC===
| |
| | |
| Move the Xertion.pem file to a safe place. Make sure you can connect using ssl. If not, then go here http://www.mirc.com/ssl.html
| |
| * Go to "Main Options Menu -> Connect -> Options"
| |
| * Click on the SSL button, if there isn't one, then you didn't install ssl properly.
| |
| * Click on the empty box below "Private Key File", navigate to where you placed your Xertion.pem and select it.
| |
| * Do the same for "Certificate Chain File"
| |
| | |
| ===XChat===
| |
| | |
| XChat uses the pem file that corresponds with the name of the network under "Network list". If irc.xertion.org is named under Xertion, then all you have to do is move the Xertion.pem file to <code>~/.xchat2/Xertion.pem</code> or <code>C:\Users\xxx\AppData\Roaming\X-Chat 2</code>. If it's not named "Xertion", then you will have to either rename the .pem file, or rename the network that irc.xertion.org is listen under so they match each other. Once you are done with that:
| |
| * Go to Xchat menu and select "Network List"
| |
| * Find Xertion and select "edit".
| |
| * Select the boxes "Use SSL for all the servers on this network" and "Accept invalid SSL certificate".
| |
| * Click "Close" and then click "Connect".
| |
| | |
| ===WeeChat===
| |
| Move Xertion.pem to ~/.weechat/ssl/Xertion.pem. Create directiory ~/.weechat/ssl beforehand if it doesn't exist
| |
| | |
| Assuming your network is labeled as "Xertion"...
| |
| | |
| Verify SSL is properly configured:
| |
| | |
| <pre>/set irc.server.Xertion.addresses "irc.xertion.org/6697"
| |
| /set irc.server.Xertion.ssl on
| |
| /set irc.server.Xertion.ssl_dhkey_size 1024
| |
| /set irc.server.Xertion.ssl_verify off</pre>
| |
| | |
| Run the following commands for the certificate:
| |
| <pre>/set irc.server.Xertion.ssl_cert "%h/ssl/Xertion.pem"</pre>
| |
| | |
| If you're using a vhost, you'll most likely also need to set the following options to delay autojoin, so that the vhost can kick in before joining:
| |
| | |
| <pre>/set irc.server.Xertion.command "/mute"
| |
| /set irc.server.Xertion.command_delay 1</pre>
| |
| | |
| The above can also be set using the interactive iset perl script.
| |
| | |
| ===irssi===
| |
| * Move the cert to <code>~/.irssi/certs/Xertion.pem</code>
| |
| * Use the command <code>/server add -ssl -ssl_cert ~/.irssi/certs/Xertion.pem -network Xertion irc.xertion.org 6697</code>
| |
| | |
| If you find that irssi does not auto-join channels on connect which want you to be identified before you are joining, add -autosendcmd "wait -xertion 2000" to your irssi network settings. This makes irssi wait 2 seconds before any further action, giving services time to identify you.
| |
| | |
| Command: <code>/network add -autosendcmd "wait -xertion 2000" Xertion</code>
| |
| | |
| ===ZNC===
| |
| * Ensure the [http://wiki.znc.in/Cert Cert module] is loaded.
| |
| * Log in to your web admin panel, and go to the User Modules section and select "Certificate".
| |
| * Copy the contents of the .pem file you created into the edit box and apply the changes.
| |
| * Reconnect your ZNC to the IRC network.
| |
| | |
| | |
| When you connect to Xertion, you should see something like:
| |
| <pre>*** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1" and your SSL fingerprint is xxxxxxxxxxxxxxxxxxxxxxx
| |
| * Welcome to the Xertion IRC Network Kaishiro</pre>
| |
| | |
| If you see that, that means you have configured everything correctly.
| |
| | |
| ==Add the certificate fingerprint to NickServ==
| |
| | |
| First, identify yourself through services with <code>/msg NickServ IDENTIFY <em>password</em></code>.
| |
| | |
| Next, just copy and paste this line <code>/msg NickServ CERTFP ADD</code>
| |
| | |
| Disable whatever auto-authentication you had with NickServ before you saw this tutorial and reconnect. If it worked you will be identified by services automatically via the fingerprint.
| |
| | |
| If you have any questions, feel free to join [irc://irc.xertion.org/help #help] and ask.
| |