TLS client access is supported on all servers, on ports 6697 and 9999.
All servers are linked securely. This means that conversations across the network are secure if you and the person(s) you are talking to are connected via TLS. We do not support SSLv2 or SSLv3 connections. Users connecting over TLS are given user mode +z, and "is using a secure connection" will be shown when you /WHOIS them (numeric reply 671).
To ensure your client can verify our server certificates, we suggest ensuring your system has an up-to-date set of root CA certificates. For most clients, this should be sufficient; however, you can download the root certificate from LetsEncrypt, if not.
Our servers support SNI. For clients that support it, this means the server will offer the appropriate certificate regardless of whether you connect using irc.darenet.org or use the server's darenet.org hostname.
Client certificates are also supported and may be used for authenticating. For more information, please see the CertFP guide. If you have connected with a client certificate, "has client certificate fingerprint [SHA-256_FINGERPRINT_HERE]" (numeric reply 276) will appear when you /WHOIS yourself.
Securing your channel
If talking on a channel, be aware that everyone on the channel must be connected via TLS; otherwise, your communications on that channel will not be secure. You can require all users in your channel to be connected via TLS by using channel mode +Z. You can also utilize extended bans to restrict by CertFP.