Image of the glider from the Game of Life by John Conway
Skip to content

Freenode, SSL and SASL Authentication with Irssi

Last night, Freenode made the migration from hyperion-ircd to a fork of charybdis-ircd they're calling ircd-seven. There are a few notable changes in the new ircd code that are worth mentioning here that are of benefit to end users and clients. They are the ability to use OpenSSL encryption between client and server and the ability to use SASL authentication for authenticating to Services. Of course, as is standard, I'll document this with Irssi, but the general rules apply to most IRC clients.

Connecting with SSL
Freenode is listening for SSL connections on ports 6697, 7000 and 7070. I don't know what the logic here is for that, but does it matter? A port is a port is a port. So, for Irssi, setting this up is rather simple.

/server add -auto -ssl -network freenode irc.freenode.net 6697

Boom! Done.

Now, if you want to verify the Freenode server SSL certificate against a certificate authority (CA), then you'll need to download the CA certificate from the authority that signed the server certificate. In this case, its Gandi.net, and their CA certificate file can be found here: http://crt.gandi.net/GandiStandardSSLCA.crt. However, using the file in its native DER format for Irssi wasn't working for me. So, using openssl, I converted the binary DER data file to PEM format, at which the Freenode certificate would properly verify:

cd /usr/share/ca-certificates
mkdir gandi.net
cd gandi.net
wget http://crt.gandi.net/GandiStandardSSLCA.crt
openssl x509 -inform der -outform pem < /usr/share/ca-certificates/gandi.net/GandiStandardSSLCA.crt > GandiStandardSSLCA.pem
ln -s /usr/share/ca-certificates/gandi.net/GandiStandardSSLCA.pem /etc/ssl/certs/GandiStandardSSLCA.pem

With the Gandi.net CA certificate installed in the standard CA certificates store, I modified my server string in Irssi:

/server add -auto -ssl -ssl_cacert /etc/ssl/certs/GandiStandardSSLCA.pem -network freenode irc.freenode.net 6697

Unfortunately, as much as I would like this to work, it doesn't. I kept ending up with this error:

[freenode] Irssi: Connecting to irc.freenode.net [140.211.166.4] port 7070
Irssi: warning Could not verify SSL servers certificate:
Irssi: warning   Subject : /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.freenode.net
Irssi: warning   Issuer  : /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
Irssi: warning   MD5 Fingerprint : F8:40:2C:D9:D6:46:1F:D0:38:5D:ED:21:69:8B:17:C4

Digging deeper, it appears it's failing with:

2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

After a bit of hacking, and the help with Bazerka in #irssi, we found that my specific version of OpenSSL doesn't like the certificate chain. Because Irssi is using these libraries, it took a bit of mucking about to find enough data points, that you need to be running an extremely recent SVN build of Irssi (there's a bug with some SSL certificate verifications that affect us here), also with OpenSSL version 0.9.8k or later. I am not running either on Debian stable, so am I stuck not being able to verify the certificate Freenode gives me?

Well, not quite. The Gandi certificate is signed by UTN-USEFirst-Hardware, which in turn is signed by AddTrust External Root (if your browser has a CA certificates store, you can visit https://irc.freenode.net:7070, and get the details of the certificate there, or use "openssl s_client" to download it and examine the details). So, if you have the USEFirst and AddTrust CA certificates, then you can verify those instead with older versions of OpenSSL or Irssi, and you'll be golden. So, if you have a CA certificate store, as most GNU/Linux distributions do, you can set the following instead:

/server add -auto -ssl -ssl_verify -ssl_capath /etc/ssl/certs -network freenode irc.freenode.net 6697

This will succeed, and when connected, you'll see usermode "+Z" meaning you're using a secure connection, and you've properly verified the server certificate Freenode is handing out. Notice the difference with "-ssl_capath" here and "-ssl_cacert" from above. This is key to making this work.

Authenticating with SASL
Okay, after setting up SSL with Freenode, the next task for me was using SASL authentication rather than a server password to authenticate to NickServ. It should be noted that using SASL authentication is entirely optional! You don't have to use this method if you don't want. However, using the SASL authentication script I'm going to point to in a second has one nice feature that might be of interest to you: using Blowfish encryption on your password, and sending that to NickServ, should you not be using an SSL connection at all. If you're not interested in using an SSL connection, at least you can encrypt your password on the wire when authenticating using SASL.

Anyway, setting this up means getting Irssi in shape for SASL. By default. Irssi doesn't support SASL authentication out of the box, so we need a Perl script to make it happen. You can find that Perl script here. After downloading the script, put it in your ~/.irssi/scripts directory, and link against it in the autorun directory. Something like this:

cd ~/.irssi/scripts/
wget http://freenode.net/sasl/cap_sasl.pl
cd autorun
ln -s ../cap_sasl.pl cap_sasl.pl

Now, you just need to load it in Irssi, and setup your username and password for authentication. A word of note here: when setting up SASL authentication, you need to be using your primary nick with NickServ, not any nick that you've linked against, or it will fail. I don't know why this is, but that's the case. So, in my case, my primary nick is "atoponce" and my secondary nick is "eightyeight". I use my secondary nick for all my IRC sessions, but when using the SASL command below, you must use your primary nick. While we're at it, we'll save everything we've done up to this point in the config:

/RUN cap_sasl.pl
/sasl set freenode primary-nick password DH-BLOWFISH
/sasl save
/save

First, if you haven't noticed already, you need some Perl libraries in place before you can run this script, namely Blowfish, DH and BIGNUM. If you're on Debian or Ubuntu, you can install them with:

aptitude install libcrypt-blowfish-perl libcrypt-dh-perl libcrypt-openssl-bignum-perl

Notice, I"m using DH-BLOWFISH in my example. "PLAIN" is also completely valid there for your mechanism. Also, notice I'm using "/sasl save" to save the settings to disk. You'll want this, so should you need to restart Irssi, everything will be in place, and you won't have to go through this procedure again.

If you've followed this tutorial rather closely, when you connect, you should see something like the following at the beginning of the connection:

16:05 [freenode] Irssi: Looking up irc.freenode.net
16:05 [freenode] Irssi: Connecting to irc.freenode.net [140.211.166.4] port 6697
16:05 [freenode] Irssi: Connection to irc.freenode.net established
16:05 [freenode] [niven.freenode.net]: *** Looking up your hostname...
16:05 [freenode] [niven.freenode.net]: *** Checking Ident
16:05 [freenode] [niven.freenode.net]: *** Found your hostname
16:05 [freenode] [niven.freenode.net]: *** No Ident response
16:05 [freenode] Irssi: CLICAP: supported by server: identify-msg multi-prefix sasl 
16:05 [freenode] Irssi: CLICAP: requesting: multi-prefix sasl
16:05 [freenode] Irssi: CLICAP: now enabled: multi-prefix sasl  
16:05 [freenode] >>> eightyeight!88@oalug/member/pdpc.supporter.monthlybronze.eightyeight atoponce You are now logged in as atoponce.
16:05 [freenode] Irssi: SASL authentication successful
16:05 [freenode] >>> Welcome to the freenode Internet Relay Chat Network eightyeight

You want to see "SASL authentication successful" in the output. If it fails then you will still need to provide your password manually to NickServ. You will likely need to review the steps outline above finding anything you might have missed. Remember, you're authenticating with your primary NickServ nick, not any others linked to it. In the output, you can see I'm authenticating with "atoponce", but using "eightyeight" when I actually connect.

One last work about SASL authentication: you no longer need a server password if you're utilizing this. Before, Freenode supported a server password that you could append to the end of your "/server" string for authentication. Freenode still supports this, although in "username:password" syntax rather than just "password". But, SASL authentication overrides the need for a server password, so you can take that out of your settings. It's not hurting anything if you leave it, but it's not doing anything beneficial either.

Miscellaneous
With all that out of the way, I want to point out one major change that I welcome. That is the ability to join more than 20 channels simultaneously. Previously, with hyperion-ircd, you had to get Freenode staff to grant you usermode "+u" which gave you the ability to sit in more than 20 channels with one connection. If you're an IRC addict like I am, 20 is pretty freaking limiting. However, ircd-seven now supports the ability to connect to 120 simultaneous channels. You can see this in the MOTD output when you connect (emphasis placed):

16:05 [freenode] >>> CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstz CHANLIMIT=#:120 PREFIX=(ov)@+ MAXLIST=bqeI:100 MODES=4 NETWORK=freenode KNOCK STATUSMSG=@+ CALLERID=g are supported by this server
16:05 [freenode] >>> SAFELIST ELIST=U CASEMAPPING=rfc1459 CHARSET=ascii NICKLEN=16 CHANNELLEN=50 TOPICLEN=390 ETRACE CPRIVMSG CNOTICE DEAF=D MONITOR=100 are supported by this server
16:05 [freenode] >>> FNC TARGMAX=NAMES:1,LIST:1,KICK:1,WHOIS:1,PRIVMSG:4,NOTICE:4,ACCEPT:,MONITOR: EXTBAN=$,arx WHOX CLIENTVER=3.0 are supported by this server

Very nice!

So, there you have it. SSL connectivity with SASL authentication and the ability to join up to 120 channels simultaneously on the new IRCD at Freenode. I personally welcome all these changes, and it's nice to see that every IRC server I'm currently connected with provides a secure connection. Call me paranoid, but I'm enjoying SSL.

{ 16 } Comments

  1. bloogle using Galeon 2.0.7 on Debian GNU/Linux 64 bits | January 31, 2010 at 4:43 am | Permalink

    Shame they don't allow auto-identification using client-side SSL certificates, like OFTC does.

  2. Aaron using Firefox 3.5.7 on Mac OS | January 31, 2010 at 11:15 am | Permalink

    @bloogle Yeah, but the SASL auth is every bit as good, if not better if using DH-BLOWFISH

  3. StooJ using Firefox 3.5.7 on Ubuntu 64 bits | February 3, 2010 at 11:20 pm | Permalink

    Think there might be a typo here?
    /server add -auto -ssl -ssl_cacert /etc/ssl/certs/GandiStandardSSLCA.pem -network freenode irc.freenode.net 7000
    This line didn't work for me until I changed the -ssl_cacert argument to be -ssl_cert

  4. Aaron using Google Chrome 5.0.307.1 on GNU/Linux 64 bits | February 4, 2010 at 4:11 am | Permalink

    @StooJ Right. If you read the post, you'll see that Irssi is having a problem verifying the SSL certificate Freenode is giving you with that CA certificate. There is no typo. That line, that you pasted, won't work. If you read further, you'll find that this is the line you should be using:

    /server add -auto -ssl -ssl_verify -ssl_capath /etc/ssl/certs -network freenode irc.freenode.net 7000

    What you have done, doesn't make any sense. The "-ssl_cert" option is for Irssi to present a certificate to the server. In this case, you're presenting the Gandi CA certificate to Freenode. This doesn't make sense, because CA certificates are used to verify signed certificates from others, in our case, Freenode.

    So, you don't want to be giving Freenode your CA cert. Rather, you want to take the signed SSL certificate Freenode is giving YOU and verify that it's valid with the CA certificate from Gandi. As mentioned in the post, Irss can't do this right now. However, because the certificate Freenode presents is signed by a CA authority chain, you can verify the first signature on the certificate with a different CA cert than the Gandi one. This is why "-ssl_capath" is used.

    Long story short, read the post.

  5. Michael Witten using Shiretoko 3.5.7 on GNU/Linux | February 7, 2010 at 6:42 pm | Permalink

    Rather than using the deprecated:

    /RUN cap_sasl.pl

    I suggest the more modern:

    /script load cap_sasl.pl

    Also, I've created a Crypt/DH AUR package for Arch Linux.

  6. Aaron using Google Chrome 5.0.307.5 on GNU/Linux 64 bits | February 8, 2010 at 4:38 am | Permalink

    @Michael Witten /RUN isn't deprecated. It's an alias for /script load.

  7. Bryan using Firefox 3.5.7 on OpenBSD | February 14, 2010 at 2:07 pm | Permalink

    Thanks for the quick guide, very helpful.

  8. Ivan Tsvetanov using Firefox 3.6.7 on Fedora | August 27, 2010 at 12:39 pm | Permalink

    On RHEL based systems like CentOS/Fedora the needed packages for the SASL perl script can be installed as:

    yum install perl-Crypt-OpenSSL-Bignum perl-Crypt-Blowfish perl-Crypt-DH

    Useful guide. Thank you!

  9. Michael Cheselka using Firefox 3.6.12 on Fedora 64 bits | November 20, 2010 at 11:19 pm | Permalink

    I was able to get this working on a up-to-date Fedora 13 system:

    as "root":
    yum install perl-Crypt-Blowfish perl-Crypt-DH perl-Crypt-OpenSSL-Bignum
    mkdir /etc/pki/tls/certs/gandi.net
    cd /etc/pki/tls/certs/gandi.net
    wget -c http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
    openssl x509 -inform der -outform pem GandiStandardSSLCA.pem
    ln -s /etc/pki/tls/certs/gandi.net/GandiStandardSSLCA.pem /etc/pki/tls/certs/GandiStandardSSLCA.pem
    chcon -h -u system_u /etc/pki/tls/certs/gandi.net /etc/pki/tls/certs/gandi.net/GandiStandardSSLCA.crt /etc/pki/tls/certs/gandi.net/GandiStandardSSLCA.pem /etc/pki/tls/certs/GandiStandardSSLCA.pem
    cd

    as "user":
    cd ~/.irssi/scripts/
    wget http://freenode.net/sasl/cap_sasl.pl
    cd autorun
    ln -s ../cap_sasl.pl cap_sasl.pl
    cd
    mesg n ; irssi -\!
    /server add -auto -ssl -ssl_verify -network freenode irc.freenode.net 7000
    /RUN cap_sasl.pl
    /sasl set freenode primary-nick password DH-BLOWFISH
    /sasl save
    /save

    I did not need to use -ssl_capath.

  10. Michael Cheselka using Firefox 3.6.12 on Fedora 64 bits | November 20, 2010 at 11:23 pm | Permalink

    Part of the above post needs correcting due to html vs. cli issues:
    openssl x509 -inform der -outform pem > /etc/pki/tls/certs/gandi.net/GandiStandardSSLCA.crt < GandiStandardSSLCA.pem

  11. Michael Cheselka using Firefox 3.6.12 on Fedora 64 bits | November 20, 2010 at 11:24 pm | Permalink

    Aaron, please fix my post.
    openssl x509 -inform der -outform pem < /etc/pki/tls/certs/gandi.net/GandiStandardSSLCA.crt > GandiStandardSSLCA.pem

  12. ml using Google Chrome 12.0.741.0 on GNU/Linux 64 bits | April 19, 2011 at 11:29 am | Permalink

    This worked great. Thanks for this guide.

  13. Panagiotis Atmatzidi using Firefox 9.0.1 on Mac OS | April 12, 2012 at 2:52 pm | Permalink

    Awesome tutorial, thanks for sharing. Mora than 20 # simultaneously? Seriously???

  14. friend using Firefox 17.0 on Ubuntu 64 bits | January 31, 2013 at 12:55 pm | Permalink

    Excellent documentation, this was exactly what i was looking for ... worked like a charm

  15. Ivan Kovnatsky using Debian IceWeasel 10.0.12 on GNU/Linux 64 bits | June 4, 2013 at 1:36 am | Permalink

    Aaron, thanks for the post.

    Really helpful.

    Ivan.

  16. helloworld using Firefox 21.0 on Ubuntu 64 bits | June 23, 2013 at 8:17 pm | Permalink

    many thanks

{ 3 } Trackbacks

  1. [...] out that, months ago, Freenode had made the switch to a more feature-full IRC daemon. I then found instructions on how to make the most of this exciting discovery. The instructions given for both Debian and [...]

  2. [...] officially supports SSL connections and SASL certificate authentication (more details here ). This site provides instructions on how to enable secure connections to Freenode with Irssi on Debian. Share [...]

  3. [...] officially supports SSL connections and SASL certificate authentication (more details here ). This site provides instructions on how to enable secure connections to Freenode with Irssi on Debian. Share [...]

Post a Comment

Your email is never published nor shared.

Switch to our mobile site