CertFP authentication

Authenticate to your account using a TLS certificate.

The CertFP feature is an alternative to password-based authentication, allowing you to connect to DareNET using a TLS certificate and be automatically authenticated to your account.

Creating a self-signed certificate

For the purpose of this document we will be using we will be using the openssl utility. 

To generate your new certificate and key, use the following command:

openssl req -x509 -new -newkey rsa:4096 -sha256 -days 365 -nodes -keyout darenet.pem -out darenet.pem

You will be prompted to enter various pieces of information.  For the purpose of using this certificate to authenticate on DareNET, it does not matter what you specify for the fields, so you may do so as you wish. The certificate will last for 1 year; you can change this by modifying the value specified for -days in the command shown above. Keep in mind that the darenet.pem file will have the same access to your account as your password does, so take care in securing it.

Connecting to DareNET using your certificate

We've provided step-by-step instructions for configuring a TLS certificate for clients and bouncers commonly used on DareNET. If you don't see your client listed here, we suggest checking your client's documentation.

ChatZilla

You'll need to convert darenet.pem to PKCS12:

openssl pkcs12 -export -out darenet.pfx -in darenet.pem
  1. Go to the Certificate Manager; "Preferences" -> "Advanced Options" -> "Encryption"
  2. Select "View Certificates", from there you can import the darenet.pfx you just generated
  3. Connect to DareNET using SSL. ChatZilla will ask if you want to use the certificate authenticate. Say yes
HexChat

You will need to move darenet.pem to the HexChat config directory (~/.config/hexchat/certs or %appdata%\HexChat\certs). For example:

mv darenet.pem ~/.config/hexchat/certs/client.pem

Now, start up HexChat and perform the following steps:

  1. Go to the HexChat menu and select "Network list"
  2. Find DareNET in the list of networks and select edit (if it's not there, add it)
  3. You may keep irc.darenet.org as the server, but make sure your port is +6697 or +9999
  4. Check "Use SSL for all the servers on this network"
  5. Select "Close" and then connect
irssi

Move the darenet.pem file you created above to ~/.irssi/certs

mkdir ~/.irssi/certs
mv darenet.pem ~/.irssi/certs

Now, add a network for DareNET (if you already haven't done so); remember, the name is case-sensitive.

/network add DareNET

While you can add multiple servers for each network in irssi, we only need to add the pool address:

/server add -tls_cert ~/.irssi/certs/darenet.pem -network DareNET irc.darenet.org 6697

Now you can /connect DareNET and follow the instructions for adding your fingerprint to N.

Once done, you can configure irssi to use your certificate for authentication:

/network add -sasl_password '' -sasl_mechanism EXTERNAL DareNET
KvIRC
  1. Go to "Settings" -> "Configure KvIRC"
  2. Go to "Connection" -> "advanced"
  3. On the "SSL" tab, check "Use ssl certificate" and "Use SSL private key". Point both to the darenet.pem file you created
  4. Change your connection settings and enable the SSL option. Remember to use ports 6697 or 9999
mIRC
  1. Open the mIRC configuration options window, "Menu" -> "Connect" -> "Options"
  2. Select the SSL button
  3. Select the button below Private key file, find the darenet.pem file you created and select it
  4. Do the same for Certificate chain file
WeeChat

Move the darenet.pem file you created above to your ~/.weechat/certs directory:

mkdir ~/.weechat/certs
mv darenet.pem ~/.weechat/certs

If you have already connected, disconnect and remove the current DareNET server(s). Re-add using the following commands:

  1. /server add darenet irc.darenet.org/6697
  2. /set irc.server.darenet.ssl on
  3. /set irc.server.darenet.ssl_cert %h/certs/darenet.pem
  4. /set irc.server.darenet.ssl_dhkey_size 2048

Now you can /connect darenet and follow the instructions for adding your fingerprint to N.

Once done, you can configure WeeChat to use your certificate for authentication:

/set irc.server.darenet.sasl_mechanism external
Quassel
  1. Go to quassel and click "Settings" -> "Configure Quassel" (or press F7)
  2. Click "Identities" in the left sidebar and choose the identity you want to associate your certificate with
  3. In the "Advanced" tab, under the "Use SSL Certificate" section, load the darenet.pem file you created

You can check that it's setup correctly by typing /msg *cert info. If you receive "You have a certificate in: ", then you're done.

You can now reconnect using your certificate, /msg *status connect

ZNC

Please refer to ZNC's official documentation.

Adding your fingerprint to N

If you've done everything right, you should be connected to DareNET using TLS with your certificate. To allow N to automatically authenticate you based on this certificate, you need to associate it with your account. To do this, use the ADDCERT command:

/msg N ADDCERT
-N- Certificate fingerprint E2C9B7866A4B036477379F000ECBA62CEE0C3062F32E20ADB7DA53D06E67ECE2 added.

N will reply back letting you know that your fingerprint was added. Now the only thing left is to reconnect to the server to test it out! NOTE: you must connect using a nickname registered to your account for N to automatically authenticate you using your certificate. You may get around this requirement by using login-on-connect or SASL EXTERNAL (discussed below).

/reconnect
12:10 -!- Irssi: Disconnecting from server irc.darenet.org: [Reconnecting]
12:10 -!- Irssi: Connecting to irc.darenet.org [IP ADDRESS] port 6697
12:10 !irc.darenet.org *** You are connected using TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384-256

...
-N- You are connected using SSL/TLS and have provided a matching client certificate
-N- for account YourAccount. You have been automatically logged in.
-N- Last account login was [TIME] ago from [HOST] [0 failed login attempts since last login].
YourAccount.user.darenet is now your hidden host

That's it! You now have automatic authentication via your certificate fingerprint.

Using SASL or login-on-connect with CertFP

Both the SASL and login-on-connect methods allow you to automatically authenticate using CertFP. With login-on-connect, you'd use the same exact method described in the Login-on-Connect guide; however, you may simply use '.' (or any other bogus password) as the password argument.

accountname:.

rather than

accountname:password

For SASL, you'll want to use the EXTERNAL mechanism.

Should you still need assistance, stop by #Help on IRC.