Last night, Freenode made the migration from hyperion-ircd to a fork of charybdis-ircd they're calling ircd-seven. There are a few notable changes in the new ircd code that are worth mentioning here that are of benefit to end users and clients. They are the ability to use OpenSSL encryption between client and server and the ability to use SASL authentication for authenticating to Services. Of course, as is standard, I'll document this with Irssi, but the general rules apply to most IRC clients.
Connecting with SSL
Freenode is listening for SSL connections on ports 6697, 7000 and 7070. I don't know what the logic here is for that, but does it matter? A port is a port is a port. So, for Irssi, setting this up is rather simple.
/server add -auto -ssl -network freenode irc.freenode.net 6697
Now, if you want to verify the Freenode server SSL certificate against a certificate authority (CA), then you'll need to download the CA certificate from the authority that signed the server certificate. In this case, its Gandi.net, and their CA certificate file can be found here: http://crt.gandi.net/GandiStandardSSLCA.crt. However, using the file in its native DER format for Irssi wasn't working for me. So, using openssl, I converted the binary DER data file to PEM format, at which the Freenode certificate would properly verify:
cd /usr/share/ca-certificates mkdir gandi.net cd gandi.net wget http://crt.gandi.net/GandiStandardSSLCA.crt openssl x509 -inform der -outform pem < /usr/share/ca-certificates/gandi.net/GandiStandardSSLCA.crt > GandiStandardSSLCA.pem ln -s /usr/share/ca-certificates/gandi.net/GandiStandardSSLCA.pem /etc/ssl/certs/GandiStandardSSLCA.pem
With the Gandi.net CA certificate installed in the standard CA certificates store, I modified my server string in Irssi:
/server add -auto -ssl -ssl_cacert /etc/ssl/certs/GandiStandardSSLCA.pem -network freenode irc.freenode.net 6697
Unfortunately, as much as I would like this to work, it doesn't. I kept ending up with this error:
[freenode] Irssi: Connecting to irc.freenode.net [18.104.22.168] port 7070 Irssi: warning Could not verify SSL servers certificate: Irssi: warning Subject : /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.freenode.net Irssi: warning Issuer : /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA Irssi: warning MD5 Fingerprint : F8:40:2C:D9:D6:46:1F:D0:38:5D:ED:21:69:8B:17:C4
Digging deeper, it appears it's failing with:
2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
After a bit of hacking, and the help with Bazerka in #irssi, we found that my specific version of OpenSSL doesn't like the certificate chain. Because Irssi is using these libraries, it took a bit of mucking about to find enough data points, that you need to be running an extremely recent SVN build of Irssi (there's a bug with some SSL certificate verifications that affect us here), also with OpenSSL version 0.9.8k or later. I am not running either on Debian stable, so am I stuck not being able to verify the certificate Freenode gives me?
Well, not quite. The Gandi certificate is signed by UTN-USEFirst-Hardware, which in turn is signed by AddTrust External Root (if your browser has a CA certificates store, you can visit https://irc.freenode.net:7070, and get the details of the certificate there, or use "openssl s_client" to download it and examine the details). So, if you have the USEFirst and AddTrust CA certificates, then you can verify those instead with older versions of OpenSSL or Irssi, and you'll be golden. So, if you have a CA certificate store, as most GNU/Linux distributions do, you can set the following instead:
/server add -auto -ssl -ssl_verify -ssl_capath /etc/ssl/certs -network freenode irc.freenode.net 6697
This will succeed, and when connected, you'll see usermode "+Z" meaning you're using a secure connection, and you've properly verified the server certificate Freenode is handing out. Notice the difference with "-ssl_capath" here and "-ssl_cacert" from above. This is key to making this work.
Authenticating with SASL
Okay, after setting up SSL with Freenode, the next task for me was using SASL authentication rather than a server password to authenticate to NickServ. It should be noted that using SASL authentication is entirely optional! You don't have to use this method if you don't want. However, using the SASL authentication script I'm going to point to in a second has one nice feature that might be of interest to you: using Blowfish encryption on your password, and sending that to NickServ, should you not be using an SSL connection at all. If you're not interested in using an SSL connection, at least you can encrypt your password on the wire when authenticating using SASL.
Anyway, setting this up means getting Irssi in shape for SASL. By default. Irssi doesn't support SASL authentication out of the box, so we need a Perl script to make it happen. You can find that Perl script here. After downloading the script, put it in your ~/.irssi/scripts directory, and link against it in the autorun directory. Something like this:
cd ~/.irssi/scripts/ wget http://freenode.net/sasl/cap_sasl.pl cd autorun ln -s ../cap_sasl.pl cap_sasl.pl
Now, you just need to load it in Irssi, and setup your username and password for authentication. A word of note here: when setting up SASL authentication, you need to be using your primary nick with NickServ, not any nick that you've linked against, or it will fail. I don't know why this is, but that's the case. So, in my case, my primary nick is "atoponce" and my secondary nick is "eightyeight". I use my secondary nick for all my IRC sessions, but when using the SASL command below, you must use your primary nick. While we're at it, we'll save everything we've done up to this point in the config:
/RUN cap_sasl.pl /sasl set freenode primary-nick password DH-BLOWFISH /sasl save /save
First, if you haven't noticed already, you need some Perl libraries in place before you can run this script, namely Blowfish, DH and BIGNUM. If you're on Debian or Ubuntu, you can install them with:
aptitude install libcrypt-blowfish-perl libcrypt-dh-perl libcrypt-openssl-bignum-perl
Notice, I"m using DH-BLOWFISH in my example. "PLAIN" is also completely valid there for your mechanism. Also, notice I'm using "/sasl save" to save the settings to disk. You'll want this, so should you need to restart Irssi, everything will be in place, and you won't have to go through this procedure again.
If you've followed this tutorial rather closely, when you connect, you should see something like the following at the beginning of the connection:
16:05 [freenode] Irssi: Looking up irc.freenode.net 16:05 [freenode] Irssi: Connecting to irc.freenode.net [22.214.171.124] port 6697 16:05 [freenode] Irssi: Connection to irc.freenode.net established 16:05 [freenode] [niven.freenode.net]: *** Looking up your hostname... 16:05 [freenode] [niven.freenode.net]: *** Checking Ident 16:05 [freenode] [niven.freenode.net]: *** Found your hostname 16:05 [freenode] [niven.freenode.net]: *** No Ident response 16:05 [freenode] Irssi: CLICAP: supported by server: identify-msg multi-prefix sasl 16:05 [freenode] Irssi: CLICAP: requesting: multi-prefix sasl 16:05 [freenode] Irssi: CLICAP: now enabled: multi-prefix sasl 16:05 [freenode] >>> eightyeight!88@oalug/member/pdpc.supporter.monthlybronze.eightyeight atoponce You are now logged in as atoponce. 16:05 [freenode] Irssi: SASL authentication successful 16:05 [freenode] >>> Welcome to the freenode Internet Relay Chat Network eightyeight
You want to see "SASL authentication successful" in the output. If it fails then you will still need to provide your password manually to NickServ. You will likely need to review the steps outline above finding anything you might have missed. Remember, you're authenticating with your primary NickServ nick, not any others linked to it. In the output, you can see I'm authenticating with "atoponce", but using "eightyeight" when I actually connect.
One last work about SASL authentication: you no longer need a server password if you're utilizing this. Before, Freenode supported a server password that you could append to the end of your "/server" string for authentication. Freenode still supports this, although in "username:password" syntax rather than just "password". But, SASL authentication overrides the need for a server password, so you can take that out of your settings. It's not hurting anything if you leave it, but it's not doing anything beneficial either.
With all that out of the way, I want to point out one major change that I welcome. That is the ability to join more than 20 channels simultaneously. Previously, with hyperion-ircd, you had to get Freenode staff to grant you usermode "+u" which gave you the ability to sit in more than 20 channels with one connection. If you're an IRC addict like I am, 20 is pretty freaking limiting. However, ircd-seven now supports the ability to connect to 120 simultaneous channels. You can see this in the MOTD output when you connect (emphasis placed):
16:05 [freenode] >>> CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstz CHANLIMIT=#:120 PREFIX=(ov)@+ MAXLIST=bqeI:100 MODES=4 NETWORK=freenode KNOCK STATUSMSG=@+ CALLERID=g are supported by this server 16:05 [freenode] >>> SAFELIST ELIST=U CASEMAPPING=rfc1459 CHARSET=ascii NICKLEN=16 CHANNELLEN=50 TOPICLEN=390 ETRACE CPRIVMSG CNOTICE DEAF=D MONITOR=100 are supported by this server 16:05 [freenode] >>> FNC TARGMAX=NAMES:1,LIST:1,KICK:1,WHOIS:1,PRIVMSG:4,NOTICE:4,ACCEPT:,MONITOR: EXTBAN=$,arx WHOX CLIENTVER=3.0 are supported by this server
So, there you have it. SSL connectivity with SASL authentication and the ability to join up to 120 channels simultaneously on the new IRCD at Freenode. I personally welcome all these changes, and it's nice to see that every IRC server I'm currently connected with provides a secure connection. Call me paranoid, but I'm enjoying SSL.