Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
help:connecting:ssl [2015/05/04 22:01]
rubin
help:connecting:ssl [2020/04/08 12:41] (current)
rubin
Line 2: Line 2:
  
 ===== Introduction ===== ===== Introduction =====
-This is a guide to help you configure your IRC client software to connect to AfterNET using SSL encryption. Our primary focus is on [[help:installing:xchat]], because that is what we use most, but it should help you get going with [[http://www.stunnel.org/|stunnel]], [[http://www.afternet.org/mirc|mirc]] and other software as well.+This is a guide to help you configure your IRC client software to connect to AfterNET using SSL encryption.
  
 ==== Why encryption ==== ==== Why encryption ====
-Our SSL encryption support is intended to protect you from those on __your local network__ intercepting passwords or reading your conversations. Essentially we want you to be able to login to your account(s) over wifi and speak poorly of your boss without fear of snooping. It is __NOT__ end-to-end security and you should never use IRC to discuss company secrets or anything truly of value. The government, and people with physical access to our hosting facilities could still spy on you. +Our SSL encryption support is intended to protect you from those on __your local network__ intercepting passwords or reading your conversations. Essentially we want you to be able to login to your account(s) over wifi and speak poorly of your boss without fear of snooping. It is __NOT__ end-to-end security and you should never use IRC to discuss company secrets or anything truly of value. Various governments and other people with physical access to our hosting facilities could still spy on you.
  
 ==== Enabling encryption ==== ==== Enabling encryption ====
-Our servers have SSL enabled on ports 6697 and 9998. So to begin with, you simply configure your IRC client to connect to the server named **irc.afternet.org** on port **6697** or **9998** and select the 'use encryption' checkbox. In addition, you must either follow the steps below, or also check the 'accept invalid certificate' box as well. +Our servers have SSL enabled on ports 6697 and 9998. **We support only TLS1.2** which means some older clients will not be able to use SSL if they can only do SSLv3 or TLS1See our [[:help:installing|Clients page]] to find client that will work for you.
-==== Verifying identity ==== +
-=== Why? === +
-For technical reasons (see [[Wp>Man_in_the_middle|Man in the middle attack]]) it is important that your IRC client be able to verify that the host your connecting to is really truly AfterNET, and not a host pretending to be AfterNET. This is accomplished using signed 'certificates' issued to each server by someone you trust. The certificate allows you to be certain when you connect to AfterNET, that no one is intercepting the messages in the middle. +
- +
-In your web browser, there is a list of respectable certificate authorities who verify the ownership of companies and issue certificates to them for a fee. IRC software doesn't come with trusted authorities. Server certificates are signed by us using our own AfterNET Certificate Authority, which only works if you add it to your computers trusted list in advance. +
- +
-You can choose to not bother with installing our CA on your system, but then you have to configure your IRC software to accept invalid certificates, and though more complicated to do so, your connections could still be monitored. +
- +
-=== Installing The AfterNET CA === +
- +
-== Windows - Silverex build of x-chat == +
-The [[http://silverex.org/|'silverex']] build of hexchat for windows looks for certificates in the default openssl location which ends up being "C:\usr\local\ssl\cert\", in a file named 90511bdb.0. We have created a simple installer to add this automatically for you, simply download and run [[https://www.afternet.org/downloads/afternet_ca_installer.msi|afternet_ca_installer.msi]] +
- +
-NOTE In silverex hexchat 2.6.8-1 the ssl cert directory is "C:\some\openssl\dir\ssl\cert\". We have notified them of this bug location, and they will be fixing it with the next release. In the mean time, you will need to make that directory tree and copy the cert to it from C:\usr\local\ssl\cert\. +
- +
-If you install X chat on another drive besides C, you need to put the certificate on that drive instead. +
- +
-== Windows - WDK build of x-chat == +
-<del>In hexchat, there is a cert.pem file in HEXChat's program files folder. Open it with an editor, and append the afternet.cer file to the end of it (combine them together)</del> +
- +
-Put the cert in the hexchat application data directory (usually C:\users\username\appdata\roaming\X-Chat2 or in explorer you can use %APPDATA% magic). Name it %APPDATA%\hexchat\AfterNET.pem. (thanks to Viktor for letting us know the correct way to do this) +
- +
-== Windows - mIRC: == +
- +
-mIRC has no native SSL support - the mIRC help file for SSL refers you to OpenSSL which are the libraries it needs.  +
- +
-To connect to networks using mIRC and SSL first you need to [[http://www.openssl.org/|download OpenSSL]] and install it. +
- +
-You can install it to either the default mIRC (C:\Program Files\mIRC\) or System32 (C:\Windows\System32\)folders.  +
- +
-Next time you restart mIRC it should detect the presence of SSL libraries, and in the Options > Connect/Options screen the SSL button should be un-greyed to detect that it is enabled. +
- +
-All you then need to do is to change the port number - Afternet SSL is on ports 6697 and 9998, and preceding the port number with + sign indicates to mIRC that it is to utilise the OpenSSL libraries.  +
- +
-For your connection settings to work then your network list entry should look like this: +
- +
-{{https://www.afternet.org/_media/help/connecting/mirc-ssl.png}} +
- +
-You will need to accept the Afternet SSL certificate when you connect, as it is self-signed. +
- +
-More information about SSL and mIRC can be found on [[http://www.mirc.com/ssl.html|the mIRC website]].+
  
-== Windows - Other == +Configure your software to connect to the server named **irc.afternet.org** on port **6697** or **9998** and enable encryption.
-If you have some more native windows IRC client that uses the built-in windows CA scheme, you could download [[https://www.afternet.org/downloads/afternetca.cer|afternetca.cer]] directly. After saving it to your desktop, right click it, and say "install", accept the default locations when prompted, and click yes to the warning about the risks of trusting our CA.+
  
-== Linux - X-chat == +=== hexchat === 
-Copy the [[https://www.afternet.org/downloads/afternetca.cer|CA certificate]] to **/etc/ssl/certs/90511bdb.0** or wherever your openssl install is configured to store its trusted certificates. (sometimes /usr/local/ssl/certs/ )+In the "hexchat -> Network List.." menu under AfterNET, Set the port to 6697 and select the 'use encryption' checkboxYou should also be able to leave the 'Accept invalid SSL certificates' checkbox **unchecked**
  
-NOTE: you **must** rename the file (or symlink itfrom afternetca.cer to 90511bdb.0 for it to work. The certificate is looked for by this name because that is its 'fingerprint'.+=== ZNC === 
 +In the ZNC bouncer, add a '+' (plus signin front of the port number when adding a server to enable SSl on that server. example: ''/msg *status addserver irc.afternet.org +6697''
  
-Update: This nolonger seems to work in modern debian based linux distributions (mint, ubuntu, etc).  [[http://blog.sandipb.net/2009/08/08/adding-new-ca-certificates-in-ubuntu-jaunty/|these directions]] instead suggest adding the CA file to /usr/share/ca-certificates/ and adding a line to /etc/ca-certificates.confThen running update-ca-certificates+=== mIRC === 
 +Make sure you have the latest versionOld versions have insecure ssl libraries which have been blocked.
  
-== ChatZilla== +To [[http://www.mirc.com/ssl.html|enable SSL in mirc]] use the -e switch in the ''/server'' command, or put '+' (plu sign) in front of the port number, ie +6697
-The following will allow ChatZilla to use a self signed certificate which it will frequently find invalid.+
  
-Create an Alias using: +==== Certificate Authority ==== 
-<code> /alias certif eval getService("@mozilla.org/embedcomp/window-watcher\;1","nsIWindowWatcher").openWindow(null,"chrome://pippki/content/certManager.xul","mozilla:certmanager", "", null) </code>+Our server certificates are signed by [[https://letsencrypt.org]]
  
-Then run: 
-<code> /certif </code> 
  
-This will open Mozilla's CertManager Module. Select the Servers Tab and add the Server Name.