2015-01-28

IRC SSL Client Certs

ChatZilla supports using SSL connections and auto-identifying with SSL Client Certificates on the OFTC and freenode IRC networks using CAcert WoT User and StartSSL free email verified certificates. You may have trouble using StartSSL verified user certificates. Tested using ChatZilla 0.9.91.1 in Firefox 35.0.1.


One useful tool when trying to get some help using new software, specifically open source software, is Internet Relay Chat or IRC. Forever ago I use to always ssh to one of our servers and fire up the irssi client, but I've long since taken the shorter path and used ChatZilla from Firefox. Even remembering the /attach or /server command is more than I prefer, I love it when sites give the irc://domain:port link so all I have to do is click. Sure, there's a networks list built in but it doesn't have all the networks I want and I don't want to modify some file every time I encounter a new network.

Today while going to a a channel on the OFTC network I browsed over to www.oftc.net and was about to click my normal link when I noticed this sentance next to the SSL link:

See CertFP for how to configure certificate-based NickServ identification
My nick(name) is registered and I don't really like to go figure out how to automate identify for every new network I use so this caught my eye. Using SSL to type a password, sounds great. Using a client certificate so I don't have to type the password, even better. I have a few certificates. My initial free email address only one from StartSSL and the paid-to-verify one with my name, my soon to expire CAcert WoT User (that's web of trust) and my extended six months one. Plus they say I could make a self-signed certificate to use, but I've already got those others loaded in Firefox and the StartSSL verified one is good for a couple of years.

So I started with the one I prefered to use, the verified StartSSL certificate that would be good for a couple of years. The CertFP page makes it sound easy to use, but it didn't work for me. I could connect via SSL but when I connected it didn't show my client fingerprint like the guide said it would. I didn't know if maybe the documentation was out of date or if something was going wrong. When I connected it prompted for the client certificate and I did specify the verified StartSSL one. Their documentation showed how to get the fingerprint from a self-signed cert using openssl, but I didn't have that handy so I tried the SHA1 fingerprint from the Firefox Certificate Viewer (Settings > Advanced > Certificates > View Certificates > Select certificate you are interested in > View ... - which turned out to be the right fingerprint). I added the fingerprint /msg nickserv cert add and reconnected. No dice, but I did run into what may be a still existing ChatZilla bug when the reconnects mostly failed saying:

closed with status 2152398919
Oh well, at least I'm using SSL now so my simple IRC nick protecting password isn't sent in the clear. I then went join the freenode IRC network and they also support SSL with client SSL certificates. Their CertFP page was similar but added this gem:

If you have connected using your SSL certificate, you will also see the fingerprint in your own WHOIS. It is sent with a 276 numeric that looks like:
276 yournick yournick :has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195
So I  tell ChatZilla /sslserver chat.freenode.net 6697 and after I identify, I check /whois  and there is no 276 line or anything like it saying a fingerprint. I started thinking at this point that maybe the problem is me, or more specifically my certificate. So I reconnected (same issue as above, sometimes it works after a few retries, sometimes I get tired of waiting and I close ChatZilla and try again which always works) and this time I select my StartSSL free email validated only certificate. It works, /whois shows my fingerprint. This is the same fingerprint as the SHA1 fingerprint in Firefox, without colons. I add it to my list of authorized fingerprints and reconnect. I'm auto-identified. Success! I try it again with the CAcert WoT User certificate that expires in six months, it also works so I add it to the list. One more try with the StartSSL verified person certificate and still no dice with it. Oh well, use the others.

Since it worked so well on freenode, I switch back to OFTC and try there. Same story. StartSSL verified email (free) and CAcert WoT User work just fine and show up in /whois so I add them to my list.
Post a Comment