Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
help:connecting:ssl [2009/09/28 10:49]
winsauce 		help:connecting:ssl [2020/04/08 12:41] (current)
rubin
Line 2: Line 2:
  
 ===== Introduction ===== ===== Introduction =====
-This is a guide to help you configure your IRC client software to connect to AfterNET using SSL encryption. Our primary focus is on [[help:installing:xchat]], because that is what we use most, but it should help you get going with [[http://www.stunnel.org/|stunnel]], [[http://www.afternet.org/mirc|mirc]] and other software as well.+This is a guide to help you configure your IRC client software to connect to AfterNET using SSL encryption.
  
 ==== Why encryption ==== ==== Why encryption ====
-Our SSL encryption support is intended to protect you from those on __your local network__ intercepting passwords or reading your conversations. Essentially we want you to be able to login to your account(s) over wifi and speak poorly of your boss without fear of snooping. It is __NOT__ end-to-end security and you should never use IRC to discuss company secrets or anything truly of value. Our servers do not encrypt messages between each other! The government, and people with backbone network access to our hosting facilities could still spy on you. +Our SSL encryption support is intended to protect you from those on __your local network__ intercepting passwords or reading your conversations. Essentially we want you to be able to login to your account(s) over wifi and speak poorly of your boss without fear of snooping. It is __NOT__ end-to-end security and you should never use IRC to discuss company secrets or anything truly of value. Various governments and other people with physical access to our hosting facilities could still spy on you.
  
 ==== Enabling encryption ==== ==== Enabling encryption ====
-Our servers have SSL enabled on port 9998. So to begin with, you simply configure your IRC client to connect to the server named **ssl.afternet.org** on port **9998** and select the 'use encryption' checkbox. In addition, you must either follow the steps below, or also check the 'accept invalid certificate' box as well. +Our servers have SSL enabled on ports 6697 and 9998. **We support only TLS1.2** which means some older clients will not be able to use SSL if they can only do SSLv3 or TLS1See our [[:help:installing|Clients page]] to find client that will work for you.
-==== Verifying identity ==== +
-=== Why? === +
-For technical reasons (see [[Wp>Man_in_the_middle|Man in the middle attack]]) it is important that your IRC client be able to verify that the host your connecting to is really truly AfterNET, and not a host pretending to be AfterNET. This is accomplished using signed 'certificates' issued to each server by someone you trust. The certificate allows you to be certain when you connect to AfterNET, that no one is intercepting the messages in the middle. +
- +
-In your web browser, there is a list of respectable certificate authorities who verify the ownership of companies and issue certificates to them for a fee. IRC software doesn't come with trusted authorities. Server certificates are signed by us using our own AfterNET Certificate Authority, which only works if you add it to your computers trusted list in advance. +
- +
-You can choose to not bother with installing our CA on your system, but then you have to configure your IRC software to accept invalid certificates, and though more complicated to do so, your connections could still be monitored. +
- +
-=== Installing The AfterNET CA === +
-== Windows: == +
-The [[http://silverex.org/|'silverex']] build of xchat for windows looks for certificates in the default openssl location which ends up being "C:\usr\local\ssl\cert\", in file named 90511bdb.0. We have created a simple installer to add this automatically for you, simply download and run [[https://www.afternet.org/downloads/afternet_ca_installer.msi|afternet_ca_installer.msi]] +
- +
-NOTE In silverex xchat 2.6.8-1 the ssl cert directory is "C:\some\openssl\dir\ssl\cert\". We have notified them of this bug location, and they will be fixing it with the next release. In the mean time, you will need to make that directory tree and copy the cert to it from C:\usr\local\ssl\cert\.+
  
-If you install X chat on another drive besides C, you need to put the certificate on that drive instead.+Configure your software to connect to the server named **irc.afternet.org** on port **6697** or **9998** and enable encryption.
  
-If you have some more native windows IRC client that uses the built-in windows CA scheme, you could download [[https://www.afternet.org/downloads/afternetca.cer|afternetca.cer]] directly. After saving it to your desktop, right click it, and say "install", accept the default locations when prompted, and click yes to the warning about the risks of trusting our CA.+=== hexchat === 
 +In the "hexchat -> Network List.." menu under AfterNETSet the port to 6697 and select the 'use encryption' checkbox. You should also be able to leave the 'Accept invalid SSL certificates' checkbox **unchecked**
  
-== Linux: == +=== ZNC === 
-Copy the [[https://www.afternet.org/downloads/afternetca.cer|CA certificate]] to **/etc/ssl/certs/90511bdb.0** or wherever your openssl install is configured to store its trusted certificates. (sometimes /usr/local/ssl/certs/ )+In the ZNC bouncer, add a '+' (plus sign) in front of the port number when adding a server to enable SSl on that server. example''/msg *status addserver irc.afternet.org +6697''
  
-NOTE: you **must** rename the file (or symlink it) from afternetca.cer to 90511bdb.0 for it to work. The certificate is looked for by this name because that is its 'fingerprint'.+=== mIRC === 
 +Make sure you have the latest versionOld versions have insecure ssl libraries which have been blocked.
  
-== ChatZilla== +To [[http://www.mirc.com/ssl.html|enable SSL in mirc]] use the -e switch in the ''/server'' command, or put '+' (plu sign) in front of the port number, ie +6697
-The following will allow ChatZilla to use a self signed certificate which it will frequently find invalid.+
  
-Create an Alias using: +==== Certificate Authority ==== 
-<code> /alias certif eval getService("@mozilla.org/embedcomp/window-watcher\;1","nsIWindowWatcher").openWindow(null,"chrome://pippki/content/certManager.xul","mozilla:certmanager", "", null) </code>+Our server certificates are signed by [[https://letsencrypt.org]]
  
-Then run: 
-<code> /certif </code> 
  
-This will open Mozilla's CertManager Module. Select the Servers Tab and add the Server Name. 

Page Tools