[EN] hexchat: SSL and passwordless identify for OFTC

[musca]

Hello,
the siduction-irc application provides you with siduction support very easily.
You can register your nick and identify with OFTC services to be recognized as a part of the irc community.

Now you want to enjoy the community even more comfortible? By using your "CertFP" HexChat can authenticate you without the password hassle! The configuration is done in two steps. See detailed Instructions at OFTC for the client certificate creation.

1) In Hexchat open the network list and edit the OFTC network entry (see first pic).
    Enable SSL. OFTC uses a a server certificate signed by SPI. (see second pic, first circle)

2) Following the instructions from CertFP create a client certificate
    and name it exactly after the network name in the HexChat network list (the name is "OFTC" in this example).
    Copy the resulting OFTC.pem to ~/.config/hexchat/certs/.

Code: [Select]

cat nick.cer nick.key > OFTC.pem
chmod 400 OFTC.pem
mkdir -p ~/.config/hexchat/certs/ && cp OFTC.pem ~/.config/hexchat/certs/
Now add the fingerprint to your registered and identified nick:
"/msg nickserv cert add »40hexdigitsfingerprint«"
You can add more fingerprints, and list them with  "/msg nickserv cert list".

You can select the Login method: "SASL EXTERNAL (cert)" (see second pic, second circle).

Some exerpts from the connection log:

* * Cipher info:
*   Version: TLSv1/SSLv3, cipher AES256-GCM-SHA384 (256 bits)                   [Use SSL ...]
* * Verify E: self signed certificate in certificate chain.? (19) -- Ignored    [Accept invalid ...]
* Connected. Now logging in.
...
* *** Connected securely via UNKNOWN AES256-GCM-SHA384-256
* *** Your client certificate fingerprint is 1A2B3C4D..{40 hex digits total}..3C4D5E6F
* Welcome to the OFTC Internet Relay Chat Network sidkid
...
         * sidkid sets mode +i on sidkid
-NickServ- This nickname is registered and protected.  If it is your nickname, you may
-NickServ- authenticate yourself to services with the IDENTIFY command.  You are
-NickServ- getting this message because you are not on the access list for the
-NickServ- sidkid nickname.
         * Activating Cloak: 00021939.user.oftc.net
         * sidkid sets mode +R on sidkid
-NickServ- You are connected using SSL and have provided a matching client certificate
-NickServ- for nickname sidkid.  You have been automatically identified.

Congratulations! Now you are always just one mouse click away from the community support!

greetings
musca

[dibl]

Thanks for this great writeup, musca!


I got a little tangled in the nickserv registration process, so for the other slow-witted folks like me:


When you first successfully log in via OFTC and see something like this:

Code: [Select]

11:09 !dibl.oftc.net *** Your client certificate fingerprint is: C77106576ABF7F9F90CCA0F63874A60F2E40A64B

then you have to get registerd.  In the chat line enter


"/msg nickserv register <yourpassword> <youremailaddress>"


with no quote marks and replace the <> items with your password and e-mail address.  Then you can issue the


"/msg nickserv cert add" command (with no quote marks) and it will finish the job for you.

[musca]

Hello,

I'm happy to report that my stuff got integrated in the oftc docs:

[10:15:34] <Myon> musca: thanks for http://www.oftc.net/NickServ/CertFP/#hexchat !
[10:22:56] <musca> Myon: thanks for integrating :)

Regards
musca