One useful tool when trying to get some help using new software, specifically open source software, is Internet Relay Chat or IRC. Forever ago I use to always ssh to one of our servers and fire up the irssi client, but I've long since taken the shorter path and used ChatZilla from Firefox. Even remembering the /attach or /server command is more than I prefer, I love it when sites give the irc://domain:port link so all I have to do is click. Sure, there's a networks list built in but it doesn't have all the networks I want and I don't want to modify some file every time I encounter a new network.
Today while going to a a channel on the OFTC network I browsed over to www.oftc.net and was about to click my normal link when I noticed this sentance next to the SSL link:
See CertFP for how to configure certificate-based NickServ identificationMy nick(name) is registered and I don't really like to go figure out how to automate identify for every new network I use so this caught my eye. Using SSL to type a password, sounds great. Using a client certificate so I don't have to type the password, even better. I have a few certificates. My initial free email address only one from StartSSL and the paid-to-verify one with my name, my soon to expire CAcert WoT User (that's web of trust) and my extended six months one. Plus they say I could make a self-signed certificate to use, but I've already got those others loaded in Firefox and the StartSSL verified one is good for a couple of years.
So I started with the one I prefered to use, the verified StartSSL certificate that would be good for a couple of years. The CertFP page makes it sound easy to use, but it didn't work for me. I could connect via SSL but when I connected it didn't show my client fingerprint like the guide said it would. I didn't know if maybe the documentation was out of date or if something was going wrong. When I connected it prompted for the client certificate and I did specify the verified StartSSL one. Their documentation showed how to get the fingerprint from a self-signed cert using openssl, but I didn't have that handy so I tried the SHA1 fingerprint from the Firefox Certificate Viewer (Settings > Advanced > Certificates > View Certificates > Select certificate you are interested in > View ... - which turned out to be the right fingerprint). I added the fingerprint /msg nickserv cert add
closed with status 2152398919Oh well, at least I'm using SSL now so my simple IRC nick protecting password isn't sent in the clear. I then went join the freenode IRC network and they also support SSL with client SSL certificates. Their CertFP page was similar but added this gem:
So I tell ChatZilla /sslserver chat.freenode.net 6697 and after I identify, I check /whoisIf you have connected using your SSL certificate, you will also see the fingerprint in your own WHOIS. It is sent with a 276 numeric that looks like:276 yournick yournick :has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195
Since it worked so well on freenode, I switch back to OFTC and try there. Same story. StartSSL verified email (free) and CAcert WoT User work just fine and show up in /whois so I add them to my list.