Image of the glider from the Game of Life by John Conway
Skip to content

Freenode, SSL and SASL Authentication with Irssi

Last night, Freenode made the migration from hyperion-ircd to a fork of charybdis-ircd they're calling ircd-seven. There are a few notable changes in the new ircd code that are worth mentioning here that are of benefit to end users and clients. They are the ability to use OpenSSL encryption between client and server and the ability to use SASL authentication for authenticating to Services. Of course, as is standard, I'll document this with Irssi, but the general rules apply to most IRC clients.

Connecting with SSL
Freenode is listening for SSL connections on ports 6697, 7000 and 7070. I don't know what the logic here is for that, but does it matter? A port is a port is a port. So, for Irssi, setting this up is rather simple.

/server add -auto -ssl -network freenode 6697

Boom! Done.

Now, if you want to verify the Freenode server SSL certificate against a certificate authority (CA), then you'll need to download the CA certificate from the authority that signed the server certificate. In this case, its, and their CA certificate file can be found here: However, using the file in its native DER format for Irssi wasn't working for me. So, using openssl, I converted the binary DER data file to PEM format, at which the Freenode certificate would properly verify:

cd /usr/share/ca-certificates
openssl x509 -inform der -outform pem < /usr/share/ca-certificates/ > GandiStandardSSLCA.pem
ln -s /usr/share/ca-certificates/ /etc/ssl/certs/GandiStandardSSLCA.pem

With the CA certificate installed in the standard CA certificates store, I modified my server string in Irssi:

/server add -auto -ssl -ssl_cacert /etc/ssl/certs/GandiStandardSSLCA.pem -network freenode 6697

Unfortunately, as much as I would like this to work, it doesn't. I kept ending up with this error:

[freenode] Irssi: Connecting to [] port 7070
Irssi: warning Could not verify SSL servers certificate:
Irssi: warning   Subject : /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*
Irssi: warning   Issuer  : /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
Irssi: warning   MD5 Fingerprint : F8:40:2C:D9:D6:46:1F:D0:38:5D:ED:21:69:8B:17:C4

Digging deeper, it appears it's failing with:

2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

After a bit of hacking, and the help with Bazerka in #irssi, we found that my specific version of OpenSSL doesn't like the certificate chain. Because Irssi is using these libraries, it took a bit of mucking about to find enough data points, that you need to be running an extremely recent SVN build of Irssi (there's a bug with some SSL certificate verifications that affect us here), also with OpenSSL version 0.9.8k or later. I am not running either on Debian stable, so am I stuck not being able to verify the certificate Freenode gives me?

Well, not quite. The Gandi certificate is signed by UTN-USEFirst-Hardware, which in turn is signed by AddTrust External Root (if your browser has a CA certificates store, you can visit, and get the details of the certificate there, or use "openssl s_client" to download it and examine the details). So, if you have the USEFirst and AddTrust CA certificates, then you can verify those instead with older versions of OpenSSL or Irssi, and you'll be golden. So, if you have a CA certificate store, as most GNU/Linux distributions do, you can set the following instead:

/server add -auto -ssl -ssl_verify -ssl_capath /etc/ssl/certs -network freenode 6697

This will succeed, and when connected, you'll see usermode "+Z" meaning you're using a secure connection, and you've properly verified the server certificate Freenode is handing out. Notice the difference with "-ssl_capath" here and "-ssl_cacert" from above. This is key to making this work.

Authenticating with SASL
Okay, after setting up SSL with Freenode, the next task for me was using SASL authentication rather than a server password to authenticate to NickServ. It should be noted that using SASL authentication is entirely optional! You don't have to use this method if you don't want. However, using the SASL authentication script I'm going to point to in a second has one nice feature that might be of interest to you: using Blowfish encryption on your password, and sending that to NickServ, should you not be using an SSL connection at all. If you're not interested in using an SSL connection, at least you can encrypt your password on the wire when authenticating using SASL.

Anyway, setting this up means getting Irssi in shape for SASL. By default. Irssi doesn't support SASL authentication out of the box, so we need a Perl script to make it happen. You can find that Perl script here. After downloading the script, put it in your ~/.irssi/scripts directory, and link against it in the autorun directory. Something like this:

cd ~/.irssi/scripts/
cd autorun
ln -s ../

Now, you just need to load it in Irssi, and setup your username and password for authentication. A word of note here: when setting up SASL authentication, you need to be using your primary nick with NickServ, not any nick that you've linked against, or it will fail. I don't know why this is, but that's the case. So, in my case, my primary nick is "atoponce" and my secondary nick is "eightyeight". I use my secondary nick for all my IRC sessions, but when using the SASL command below, you must use your primary nick. While we're at it, we'll save everything we've done up to this point in the config:

/sasl set freenode primary-nick password DH-BLOWFISH
/sasl save

First, if you haven't noticed already, you need some Perl libraries in place before you can run this script, namely Blowfish, DH and BIGNUM. If you're on Debian or Ubuntu, you can install them with:

aptitude install libcrypt-blowfish-perl libcrypt-dh-perl libcrypt-openssl-bignum-perl

Notice, I"m using DH-BLOWFISH in my example. "PLAIN" is also completely valid there for your mechanism. Also, notice I'm using "/sasl save" to save the settings to disk. You'll want this, so should you need to restart Irssi, everything will be in place, and you won't have to go through this procedure again.

If you've followed this tutorial rather closely, when you connect, you should see something like the following at the beginning of the connection:

16:05 [freenode] Irssi: Looking up
16:05 [freenode] Irssi: Connecting to [] port 6697
16:05 [freenode] Irssi: Connection to established
16:05 [freenode] []: *** Looking up your hostname...
16:05 [freenode] []: *** Checking Ident
16:05 [freenode] []: *** Found your hostname
16:05 [freenode] []: *** No Ident response
16:05 [freenode] Irssi: CLICAP: supported by server: identify-msg multi-prefix sasl 
16:05 [freenode] Irssi: CLICAP: requesting: multi-prefix sasl
16:05 [freenode] Irssi: CLICAP: now enabled: multi-prefix sasl  
16:05 [freenode] >>> eightyeight!88@oalug/member/pdpc.supporter.monthlybronze.eightyeight atoponce You are now logged in as atoponce.
16:05 [freenode] Irssi: SASL authentication successful
16:05 [freenode] >>> Welcome to the freenode Internet Relay Chat Network eightyeight

You want to see "SASL authentication successful" in the output. If it fails then you will still need to provide your password manually to NickServ. You will likely need to review the steps outline above finding anything you might have missed. Remember, you're authenticating with your primary NickServ nick, not any others linked to it. In the output, you can see I'm authenticating with "atoponce", but using "eightyeight" when I actually connect.

One last work about SASL authentication: you no longer need a server password if you're utilizing this. Before, Freenode supported a server password that you could append to the end of your "/server" string for authentication. Freenode still supports this, although in "username:password" syntax rather than just "password". But, SASL authentication overrides the need for a server password, so you can take that out of your settings. It's not hurting anything if you leave it, but it's not doing anything beneficial either.

With all that out of the way, I want to point out one major change that I welcome. That is the ability to join more than 20 channels simultaneously. Previously, with hyperion-ircd, you had to get Freenode staff to grant you usermode "+u" which gave you the ability to sit in more than 20 channels with one connection. If you're an IRC addict like I am, 20 is pretty freaking limiting. However, ircd-seven now supports the ability to connect to 120 simultaneous channels. You can see this in the MOTD output when you connect (emphasis placed):

16:05 [freenode] >>> CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstz CHANLIMIT=#:120 PREFIX=(ov)@+ MAXLIST=bqeI:100 MODES=4 NETWORK=freenode KNOCK STATUSMSG=@+ CALLERID=g are supported by this server
16:05 [freenode] >>> SAFELIST ELIST=U CASEMAPPING=rfc1459 CHARSET=ascii NICKLEN=16 CHANNELLEN=50 TOPICLEN=390 ETRACE CPRIVMSG CNOTICE DEAF=D MONITOR=100 are supported by this server
16:05 [freenode] >>> FNC TARGMAX=NAMES:1,LIST:1,KICK:1,WHOIS:1,PRIVMSG:4,NOTICE:4,ACCEPT:,MONITOR: EXTBAN=$,arx WHOX CLIENTVER=3.0 are supported by this server

Very nice!

So, there you have it. SSL connectivity with SASL authentication and the ability to join up to 120 channels simultaneously on the new IRCD at Freenode. I personally welcome all these changes, and it's nice to see that every IRC server I'm currently connected with provides a secure connection. Call me paranoid, but I'm enjoying SSL.

{ 19 } Comments