Connecting using TLS
TLS client access is supported on all servers, on ports 6697 and 9999. All servers are linked securely, this means that if you and the person(s) that you are talking to are connected via TLS then conversations across the network are secure. We do not support SSLv2 or SSLv3 connections. Users connecting over TLS are given user mode +z and "is using a secure connection" will be shown when you /WHOIS them (numeric reply 671).
To ensure that your client can verify our server certificates, we suggest making sure your system has an up-to-date set of root CA certificates. For most clients, this should be sufficient; however, you can download the root certificate from LetsEncrypt, if not.
Our servers support SNI. For clients that support it, this means the server will offer the appropriate certificate regardless of whether you connect using irc.darenet.org or use the server's darenet.org hostname.
Client certificates are also supported, and may be used for authenticating to services. For more information, please see the CertFP guide. If you have connected with a client certificate, "has client certificate fingerprint [SHA-256_FINGERPRINT_HERE]" (numeric reply 276) will appear when you /WHOIS yourself.
Securing your channel
If talking on a channel, be aware that everyone on the channel must be connected via TLS; otherwise, your communications on that channel will not be secure. You can require that all users in your channel are connected via TLS by channel mode +Z. You can also utilize extended bans to restrict by CertFP.