Group: LibrePlanet Italia/miniguida-freenode.en

From LibrePlanet
Jump to: navigation, search
m (Fixed changed link to sasl script)
m (Added a warning about user name in Tor+SASL connection)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Languages|master page=miniguida-freenode|language=en}}
 
{{Languages|master page=miniguida-freenode|language=en}}
  
''The information contained in this mini-guide is current as of: 7/2/2011.''
+
''The information contained in this mini-guide is current as of: 27/10/2020.''
  
 
''The text in this page was last modified on: {{REVISIONDAY}}/{{REVISIONMONTH}}/{{REVISIONYEAR}}.''
 
''The text in this page was last modified on: {{REVISIONDAY}}/{{REVISIONMONTH}}/{{REVISIONYEAR}}.''
Line 7: Line 7:
 
== Introduction ==
 
== Introduction ==
  
The [http://freenode.net/ <tt>freenode</tt>] network hosts a lot of [http://en.wikipedia.org/wiki/Internet_Relay_Chat IRC] channels dedicated to [http://www.gnu.org/philosophy/free-sw.html free software]: <tt>#gnu</tt>, <tt>#fsf</tt>, <tt>#libreplanet</tt>, <tt>#gnewsense</tt> and many others.
+
The <strong>[http://freenode.net/ <tt>freenode</tt>]</strong> network hosts a lot of <tt>IRC</tt> ([https://en.wikipedia.org/wiki/Internet_Relay_Chat Internet Relay Chat]) channels dedicated to [http://www.gnu.org/philosophy/free-sw.it.html free software]: <tt>#gnu</tt>, <tt>#fsf</tt>, <tt>#libreplanet</tt> and many others.
  
From January 30, 2010 <tt>freenode</tt> has [http://blog.freenode.net/2010/01/ircd-migration-sat-jan-30th-2010/ migrated] their servers from [http://blog.freenode.net/2010/01/migration-to-new-ircd/ from <tt>ircd</tt> to <tt>ircd-seven</tt>]. This led to several changes, including the possibility of connection in a safe and anonymous way via [http://en.wikipedia.org/wiki/Transport_Layer_Security <tt>SSL</tt>] or via [http://www.torproject.org/ <tt>Tor</tt>]+[http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer <tt>SASL</tt>]. These two methods (alternatives to one another) offer much more privacy and security in communication and authentication than the usual "clear" connection mode.
+
Users can login to <tt>freenode</tt> using an anonymous nickname or using a registered and verified <tt>NickServ</tt> account.<ref name="nickname_registration">[https://freenode.net/kb/answer/registration Nickname Registration on <tt>freenode</tt>]</ref>
  
Here below is a brief description about how to configure [http://xchat.org/ <tt>XChat</tt>] (one of the best and most used <tt>IRC</tt> clients) to connect to <tt>freenode</tt> in different ways as possible (clear, via <tt>SSL</tt> and via <tt>Tor</tt>+<tt>SASL</tt>).
+
IRC clients can connect to <tt>freenode</tt> using the common ways:
 +
* <strong>[https://simple.wikipedia.org/wiki/Cleartext <tt>plain&ndash;text</tt>]</strong> (unencrypted, on ports 6665-6667 and 8000-8002, with or without a registered account))<ref name="freenode_conn">[https://freenode.net/kb/answer/chat Connecting to <tt>freenode</tt>]</ref>
 +
* <strong>[https://en.wikipedia.org/wiki/Transport_Layer_Security <tt>TLS&ndash;encrypted</tt>]</strong> (encrypted channel, on ports 6697, 7000 and 7070, with or without a registered account)<ref name="tls_conn">[https://freenode.net/kb/answer/chat#accessing-freenode-via-tls Accessing <tt>freenode</tt> via <tt>TLS</tt>]</ref>
 +
 
 +
Using a registered account, you can also:
 +
* log in into <tt>freenode</tt> via <strong>[https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer <tt>SASL</tt>]</strong>.<ref name="sasl_conn">[https://freenode.net/kb/answer/sasl Connecting to <tt>freenode</tt> with <tt>SASL</tt>]</ref><br /><tt>SASL</tt> authentication allows registered accounts to authenticate to services (<tt>NickServ</tt>) during the logon process, eliminating the need to identify themselves later (using the <tt>IRC</tt> command: <tt>/msg NickServ identify <password></tt>)
 +
* connect to <tt>freenode</tt> via <strong>[http://www.torproject.org/ <tt>Tor</tt>]</strong> with <tt>SASL EXTERNAL</tt> authentication via certificate&ndash;based <tt>TLS</tt>.<ref name="tor_conn">[https://freenode.net/kb/answer/chat#accessing-freenode-via-tor Accessing <tt>freenode</tt> via <tt>Tor</tt>]</ref><br />This mode (introduced in May 2019) uses the [https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions Next Gen Onion] protocol<ref name="next_gen_tor">[https://freenode.net/news/torv3 Freenode Next Gen Tor Hidden Service]</ref> and ensures a much greater degree of security and privacy
 +
 
 +
The procedures for configuring the <strong>[https://hexchat.github.io/ <tt>HexChat</tt>]</strong> <tt>IRC</tt> client for the different ways of connecting to <tt>freenode</tt> are summarized below.
 +
 
 +
<tt>HexChat</tt> is a fork of [http://xchat.org/ <tt>XChat</tt>] (no longer actively developed for many years) and is released under the [https://www.gnu.org/licenses/old-licenses/gpl-2.0.html <tt>GPL2</tt>] license.
  
 
== Prerequisites ==
 
== Prerequisites ==
  
* A [http://www.gnu.org/distros/free-distros.html 100% free GNU/Linux] distribution, as is [http://www.gnewsense.org <tt>gNewSense</tt>] :-)
+
* A [http://www.gnu.org/ GNU/Linux] distribution :-)
* The [http://xchat.org/ <tt>XChat</tt>] (> = 2.8.4) package, properly installed
+
* The [http://xchat.org/ <tt>XChat</tt>] (> = 2.8.4) package, properly installed on the system (the configurations described in this guide have been tested on version 2.14.2)<br />Note &mdash; In distributions using <tt>deb</tt> packages, <tt>HexChat</tt> is installed with the command: <br /><code>$ sudo apt-get install hexchat</code>
*:Note: In the GNU/Linux distributions which use <tt>.deb</tt> packages (as <tt>gNewSense</tt>), <tt>XChat</tt> could be installed with the command:
+
* To verify server certificates when connecting with <tt>TLS</tt> protocol, the system must have an up-to-date set of <em>root CA certificates</em> (otherwise, the root certificate is downloaded from [https://letsencrypt.org/certificates/ LetsEncrypt]).<br />Note &mdash; In distributions using <tt>deb</tt> packages, installing the package called <tt>ca-certificates</tt> or similar should be sufficient.
*:<code>$ sudo apt-get install xchat</code>
+
* To use <tt>SASL</tt> authentication with a registered and verified <tt>freenode</tt> <tt>NickServ</tt> account, the system must have <tt>TLS</tt> support (install the <tt>openssl</tt> package) and the related encryption libraries. <br />Warning &mdash; The packages required for <tt>TLS</tt> support may differ depending on your system.
 
+
* To use the connection mode via <tt>Tor + SASL</tt>, <tt>Tor</tt> must be properly installed and its service must be running. <br />Warning &mdash; It is strongly recommended to install an updated version of <tt>Tor</tt> (see the official [http://www.torproject.org <tt>Tor project</tt>] repositories). At least <tt>Tor</tt> >= 0.3.5 is required. <br />Note &mdash; For the installation and configuration of <tt>Tor</tt>, please see the relevant [https://www.torproject.org/docs/tor-doc-unix.html.en official guide].
== XChat: clear connection to freenode ==
 
  
# From the <em>XChat</em> menu, open the <em>Network list</em> (Ctrl + S)
+
== HexChat: <em>Plain&ndash;text</em> or <em>TSL&ndash;encrypted</em> connection ==
# Click the <em>Add</em> button in order to create a new network and call it (with no spaces): <tt>FreeNode</tt>
 
# Select the <tt>FreeNode</tt> network you just created and click on the <em>Edit</em> button to configure it as follows:
 
#*in <em>Servers for &hellip;</em>, click on <em>Add</em> and set as server:
 
#*:<code>irc.freenode.net/8001</code>
 
#*in the same section, set:
 
#*: - <em>Connect to selected server only</em>: do NOT check
 
#*in the <em>Your Details</em> section, enter the values for <em>Nick name</em>, <em>User name</em> and <em>Real name</em>
 
#*in the <em>Connecting</em> section set:
 
#*: - <em>Auto connect &hellip;</em>: set as desired
 
#*: - <em>Use a proxy server</em>: do NOT check
 
#*: - <em>Use SSL for all the servers on this network</em>: do NOT check
 
#*: - <em>Accept invalid SSL certificate</em>: do NOT check
 
#*: - <em>Channels to join</em>: <tt>#libreplanet</tt>, <tt>#gnewsense</tt>, &hellip; other channels as you like, separated by commas, no spaces&hellip;
 
#*: - <em>Connect command</em>: leave blank
 
#*: - <em>Nickserv password</em>: leave blank
 
#*: - <em>Server password</em>: to be set only if you are using a nickname registered and verified on <tt>freenode</tt>
 
#*: - <em>Character set</em>: <tt>UTF-8</tt>
 
  
The configuration of this new <tt>FreeNode</tt> network will appear in the <code>/~.xchat2/servlist_.conf</code> file. It will be something as:
+
# From the <em>HexChat</em> menu in <tt>HexChat</tt>, open the <em>Network List</em> window (Ctrl+S) <br />Note &mdash; In this window it is possible to enter the "global" user information that can eventually be used for all the networks in the list (<em>Nick name</em>, <em>Second choice</em>, <em>Real name</em>, <em>User name</em>)
<code>
+
# Click on the <em>Add</em> button to create a new network, giving it a suitable identifier (eg <tt>FreeNode</tt>)
        N=FreeNode
+
# Select the network you just created and click on the <em>Edit&hellip;</em> button
        I=mynickname
+
#* select the <em>Servers</em> tab
        U=mynickname
+
#* click on the <em>Add</em> button and set the server:<ref name="freenode_conn" /> <br /><code>chat.freenode.net</code>
        R=mynickname
+
# Set the connection parameters:
        P=mypassword
+
#* <em>Connect to selected server olny</em>: DO NOT CHECK
        J=#libreplanet,#gnewsense
+
#* <em>Connect to this network automatically</em>: set as desired
        E=UTF-8 (Unicode)
+
#* <em>Bypass proxy server</em>: CHECK <br />Note &mdash; Depending on the local network configuration in use, it may be necessary to NOT CHECK
        F=1
+
#* <em>Use SSL for all the servers on this network</em>: CHECK<br />Note &mdash; This sets <tt>TSL&ndash;encrypted</tt><ref name="tls_conn" /> mode (recommended) instead of <tt>plain&ndash;text</tt>
        D=0
+
#* <em>Accept invalid SSL certificates</em>: DO NOT CHECK
        S=irc.freenode.net/8001
+
# Enter user information specific to this connection <br />(or CHECK the <em>Use global user information</em> box to use any "global" user information defined in the <em>Network List</em> window)
</code>
+
# Enter the parameters for authentication:
 +
#* to log in with a generic nickname (without a registered account):
 +
#** <em>Login method</em>: <tt>Default</tt>
 +
#** <em>Password</em>: leave blank
 +
#* to log in with a registered <tt>NickServ</tt> account:
 +
#** <em>Login method</em>: <tt>NickServ (/MSG NickServ + password)</tt>
 +
#** <em>Password</em>: set with the password corresponding to the <em>User name</em> of the registered <tt>NickServ</tt> account
 +
#* to log in via <tt>SASL</tt> with a registered <tt>NickServ</tt> account<ref name="sasl_conn" />:
 +
#** <em>Login method</em>: <tt>SASL (username + password)</tt>
 +
#** <em>Password</em>: set with the password corresponding to the <em>User name</em> of the registered <tt>NickServ</tt> account
 +
# Set the character set to use:
 +
#* <em>Character set</em>: <tt>UTF-8</tt>
 +
# By selecting the <em>Autojoin channels</em> tab, you can also add a list of channels that will be automatically accessed once connected.
  
After closing the setup windows, you can connect in clear to the <tt>FreeNode</tt> network you just created.
 
  
== XChat: SSL connection to freenode ==
+
Once the <em>Network List</em> window is closed, you can connect to the newly created <tt>freenode</tt> network.
  
# From the <em>XChat</em> menu, open the <em>Network list</em> (Ctrl + S)
+
The configuration of the new <tt>freenode</tt> network will appear in the <code>~/.config/hexchat/servlist.conf</code> file and will look like this:
# Click the <em>Add</em> button in order to create a new network and call it (with no spaces): <tt>FreeNode-SSL</tt>
 
# Select the <tt>FreeNode-SSL</tt> network you just created and click on the <em>Edit</em> button to configure it as follows:
 
#*in <em>Servers for &hellip;</em>, click on <em>Add</em> and set as server:
 
#*:<code>irc.freenode.net/7070</code>
 
#*in the same section, set:
 
#*: - <em>Connect to selected server only</em>: do NOT check
 
#*in the <em>Your Details</em> section, enter the values for <em>Nick name</em>, <em>User name</em> and <em>Real name</em>
 
#*in the <em>Connecting</em> section set:
 
#*: - <em>Auto connect &hellip;</em>: set as desired
 
#*: - <em>Use a proxy server</em>: do NOT check
 
#*: - <em>Use SSL for all the servers on this network</em>: CHECK
 
#*: - <em>Accept invalid SSL certificate</em>: CHECK
 
#*: - <em>Channels to join</em>: <tt>#libreplanet</tt>, <tt>#gnewsense</tt>, &hellip; other channels as you like, separated by commas, no spaces&hellip;
 
#*: - <em>Connect command</em>: leave blank
 
#*: - <em>Nickserv password</em>: leave blank
 
#*: - <em>Server password</em>: to be set only if you are using a nickname registered and verified on <tt>freenode</tt>
 
#*: - <em>Character set</em>: <tt>UTF-8</tt>
 
  
The configuration of this new <tt>FreeNode-SSL</tt> network will appear in the <code>/~.xchat2/servlist_.conf</code> file. It will be something as:
+
* <tt>TSL&ndash;encrypted</tt> mode without authentication (without a registered account):
<code>
+
<pre>
        N=FreeNode-SSL
+
    N=FreeNode
        I=mynickname
+
    I=mynickname
        U=mynickname
+
    i=mynickname_secondary
        R=mynickname
+
    U=myusername
        P=mypassword
+
    R=myrealname
        J=#libreplanet,#gnewsense
+
    E=UTF-8 (Unicode)
        E=UTF-8 (Unicode)
+
    F=6
        F=37
+
    D=0
        D=0
+
    S=chat.freenode.net
        S=irc.freenode.net/7070
+
</pre>
</code>
 
  
After closing the setup windows, you can connect via SSL to the <tt>FreeNode-SSL</tt> network you just created.
+
* <tt>TSL&ndash;encrypted</tt> mode with <tt>NickServ</tt> authentication:
 +
<pre>
 +
    N=FreeNode
 +
    I=mynickname
 +
    i=mynickname_secondary
 +
    U=myusername
 +
    R=myrealname
 +
    P=mypassword
 +
    L=1
 +
    E=UTF-8 (Unicode)
 +
    F=6
 +
    D=0
 +
    S=chat.freenode.net
 +
</pre>
  
== XChat: Tor+SASL connection to freenode ==
+
* <tt>TSL&ndash;encrypted</tt> mode with <tt>SASL</tt> authentication:
 +
<pre>
 +
    N=FreeNode
 +
    I=mynickname
 +
    i=mynickname_secondary
 +
    U=myusername
 +
    R=myrealname
 +
    P=mypassword
 +
    L=6
 +
    E=UTF-8 (Unicode)
 +
    F=71
 +
    D=1
 +
    S=chat.freenode.net
 +
</pre>
  
Connecting to <tt>freenode</tt> by <tt>Tor</tt>+<tt>SASL</tt> requires the use of the new dedicated <tt>tor</tt> hidden service [irc://p4fsi4ockecnea7l.onion/ p4fsi4ockecnea7l.onion] (for details see: http://blog.freenode.net/2010/01/connecting-to-freenode-using-tor-sasl/ and http://freenode.net/irc_servers.shtml#tor) and also the use of <tt>SASL</tt> authentication mechanism that could be handled by <tt>XChat</tt>.
+
== HexChat: Connection via <tt>Tor+SASL</tt> ==
  
Consequently, this connection method is more complex and articulated than the previouses, as it requires the satisfaction of certain additional requirements:
+
The connection to <tt>freenode</tt> via <tt>Tor</tt>+<tt>SASL</tt> takes place through a <tt>Tor</tt> hidden service (that uses the recent [https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions Next Gen Onion] protocol):<br /><code>ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion</code>
* <tt>Tor</tt> must be properly installed and its service must be running (it is *strongly* recommended that you install the latest version of the available packages from the official repositories of the [http://www.torproject.org <tt>tor</tt>] project, at: https://www.torproject.org/download/download-unix.html.en). <br />Togheter with <tt>tor</tt>, is also recommended the installation of the latest version of the <tt>polipo</tt> and <tt>geoipdb-tor</tt> packages. <br />For installation and configuration of <tt>tor</tt> see the [https://www.torproject.org/docs/tor-doc-unix.html.en official guide].
 
* The system must have installed the support for <tt>SSL</tt> (install the <tt>openssl</tt> package) and also some libraries for encryption (<tt>libcrypt-openssl-bignum-perl</tt>, <tt>libcrypt-dh-perl</tt>, <tt>libcrypt-blowfish-perl</tt>). <br />Note - The required packages may differ depending on the system in use.
 
* A registered and verified <tt>NickServ</tt> account on <tt>freenode</tt> is needed (for the registration procedure, see: http://freenode.net/faq.shtml#userregistration).
 
  
A specific script is needed to make the authentication and security <tt>SASL</tt> framework available to <tt>XChat</tt>. This script should be placed in the <code>~/.xchat2</code> directory, in order to be loaded when <tt>XChat</tt> is opened.
+
To avoid any abuse, the service offered by <tt>freenode</tt> requires a registered and verified <tt>NickServ</tt> account, which must be authenticated in <tt>SASL EXTERNAL</tt> (or <tt>ECDSA-NIST256P-CHALLENGE</tt>) mode via <tt>TLS&ndashencrypted</tt> using a special certificate associated with the same account.<ref name="tor_conn" />
  
The <tt>SASL</tt> support in <tt>XChat</tt> could be obtained using the following commands:
+
To be able to connect to <tt>freenode</tt> via <tt>Tor</tt>+<tt>SASL</tt> it is therefore necessary to satisfy some additional prerequisites:
<code>
+
# have a registered and verified <tt>NickServ</tt> <tt>freenode</tt> account <ref name="nickname_registration" />
        $ cd ~/.xchat2
+
# associate a specific <tt>TLS</tt> certificate to the same account<ref name="certfp">[https://freenode.net/kb/answer/certfp <tt>CertFP</tt> certificate]</ref>
        $ wget http://adipose.attenuate.org/~stephen/ircd-seven/sasl/cap_sasl_xchat.py
 
</code>
 
Warning - This Python script seems to work fine, and is released under the GNU GPL license. <br />The Perl script available from <nowiki>http://freenode.net/sasl/</nowiki> do NOT seems working well with <tt>XChat</tt>.
 
  
Note - The help for the <tt>SASL</tt> command in <tt>XChat</tt> could be obtained typing: <code>/HELP SASL</code>
 
  
At this point, we can finally set <tt>XChat</tt>. Having to use <tt>tor</tt> unlike previous cases, now the client must be configured to use the proxy server.
+
A convenient way to prepare and associate the certificate is the procedure described below<ref name="certfp" />:
 +
* create the certificate and view its fingerprint by executing the commands from the terminal:<br />
 +
<pre>
 +
    $ openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1096 -nodes -out freenode.pem -keyout freenode.pem
 +
    $ openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1
 +
</pre>
 +
: Attention - The certificate is valid for about 3 years. It will therefore have to be regenerated upon expiration.
 +
* make the certificate available to <tt>HexChat</tt>, by running the commands from the terminal:<br />
 +
<pre>
 +
    $ mkdir ~/.config/hexchat/certs/
 +
    $ mv freenode.pem ~/.config/hexchat/certs/freenode.pem
 +
</pre>
 +
* log into <tt>freenode</tt> using the <tt>TSL&ndash;encrypted</tt> mode described above
 +
* associate the certificate to the registered account by running the <tt>IRC</tt> command: <br />
 +
<pre>
 +
    /msg NickServ CERT ADD <fingerprint>
 +
</pre>
 +
: where <tt><fingerprint></tt> must be replaced with the certificate fingerprint as shown above.
  
# From the <em>Settings -> Preferences</em> menu, go to the <em>Network</em> category and open <em>Network setup</em> to configure it as follows:
+
Of course, <tt>HexChat</tt> must also be configured appropriately (note that, in this case, the client must be configured to use the local <tt>Tor</tt> proxy):
#*in the <em>Proxy server</em> section set:
+
# From the <em>HexChat</em> menu in <tt>HexChat</tt>, open the <em>Network List</em> window (Ctrl+S) <br />Note &mdash; In this window it is possible to enter the "global" user information that can eventually be used for all the networks in the list (<em>Nick name</em>, <em>Second choice</em>, <em>Real name</em>, <em>User name</em>)
#*: -  <em>Hostname</em>: <tt>localhost</tt>
+
# Click on the <em>Add</em> button to create a new network, giving it a suitable identifier (eg <tt>FreeNode-Tor</tt>)
#*: -  <em>Port</em>: <tt>9050</tt>
+
# Select the network you just created and click on the <em>Edit&hellip;</em> button
#*: -  <em>Type</em>: <tt>Sock5</tt>
+
#* select the <em>Servers</em> tab
#*: -  <em>Use proxy for</em>: <tt>All connections</tt>
+
#* click on the <em>Add</em> button and set the server: <br /><code>ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion</code>
# From the <em>XChat</em> menu, open the <em>Network list</em> (Ctrl + S)
+
# Set the connection parameters:
# Click the <em>Add</em> button in order to create a new network and call it (with no spaces): <tt>FreeNode-TorSASL</tt>
+
#* <em>Connect to selected server olny</em>: CHECK
# Select the <tt>FreeNode-TorSASL</tt> network you just created and click on the <em>Edit</em> button to configure it as follows:
+
#* <em>Connect to this network automatically</em>: set as desired
#*in <em>Servers for &hellip;</em>, click on <em>Add</em> and set as server:
+
#* <em>Bypass proxy server</em>: DO NOT CHECK (in order to use the local <tt>Tor</tt> proxy)
#*:<code>p4fsi4ockecnea7l.onion</code>
+
#* <em>Use SSL for all the servers on this network</em>: CHECK (to set <tt>TSL&ndash;encrypted</tt> mode)
#*in the same section, set:
+
#* <em>Accept invalid SSL certificates</em>: DO NOT CHECK
#*: - <em>Connect to selected server only</em>: do NOT check
+
# Enter user information specific to this connection (or CHECK the <em>Use global user information</em> box to use any "global" user information defined in the <em>Network List</em> window)<br />Warning &mdash; The resulting <em>User name</em> must be that of the registered <tt>NickServ</tt> account!
#*in the <em>Your Details</em> section, enter the values for <em>Nick name</em>, <em>User name</em> and <em>Real name</em> <br />Warning - You must use a registered and verified <tt>NickServ</tt> account on <tt>freenode</tt> (for the registration procedure, see: http://freenode.net/faq.shtml#userregistration)
+
# Enter the parameters for authentication:
#*in the <em>Connecting</em> section set:
+
#* <em>Login method</em>: <tt>SASL EXTERNAL (cert)</tt>
#*: - <em>Auto connect &hellip;</em>: set as desired
+
#* <em>Password</em>: field disabled (the certificate associated with the registered <tt>NickServ</tt> account will be used)
#*: - <em>Use a proxy server</em>: CHECK
+
# Set the character set to use:
#*: - <em>Use SSL for all the servers on this network</em>: do NOT check
+
#* <em>Character set</em>: <tt>UTF-8</tt>
#*: - <em>Accept invalid SSL certificate</em>: do NOT check
+
# By selecting the <em>Autojoin channels</em> tab, you can also add a list of channels that will be automatically accessed once connected.
#*: - <em>Channels to join</em>: <tt>#libreplanet</tt>, <tt>#gnewsense</tt>, &hellip; other channels as you like, separated by commas, no spaces&hellip;
 
#*: - <em>Connect command</em>: leave blank
 
#*: - <em>Nickserv password</em>: leave blank
 
#*: - <em>Server password</em>: set the password corresponding to the registered and verified <tt>NickServ</tt> account on <tt>freenode</tt> that you are using (see above)
 
#*: - <em>Character set</em>: <tt>UTF-8</tt>
 
# To ensure that the <tt>SASL</tt> framework is used by the <tt>FreeNode-TorSASL</tt> network, in the command area of <tt>XChat</tt> type the command:
 
#:<code>/SASL -set FreeNode-TorSASL mynickname mypassword</code>
 
#: where:
 
#: - <code>FreeNode-TorSASL</code> is the name of the network for which <tt>SASL</tt> have to be used (Warning - Since it is case-sensitive, it must match *exactly* the name assigned to the network for which <tt>SASL</tt> have to be used)
 
#: - <code>mynickname</code> is the nickname of the registered and verified <tt>NickServ</tt> account on <tt>freenode</tt> that you are using (see above)
 
#: - <code>mypassword</code>: is the password of the registered and verified <tt>NickServ</tt> account on <tt>freenode</tt> that you are using (see above)
 
# Close and reopen <tt>XChat</tt>
 
  
The configuration of this new <tt>FreeNode-TorSASL</tt> network will appear in the <code>/~.xchat2/servlist_.conf</code> file. It will be something as:
 
<code>
 
        N=FreeNode-TorSASL
 
        I=mynickname
 
        U=mynickname
 
        R=mynickname
 
        P=mypassword
 
        J=#libreplanet,#gnewsense
 
        E=UTF-8 (Unicode)
 
        F=17
 
        D=0
 
        S=p4fsi4ockecnea7l.onion
 
</code>
 
  
The correspondence between the <tt>FreeNode-TorSASL</tt> network and the <tt>SASL</tt> framework will result in a special section within the <code>~/.xchat2/sasl.conf</code> file. It will be something as:
+
The configuration of the new <tt>freenode</tt> network will appear in the <code>~/.config/hexchat/servlist.conf</code> file and will look like this:
<code>
+
<pre>
        [FreeNode-TorSASL]
+
    N=FreeNode-Tor
        nick = mynickname  
+
    I=mynickname
        password = mypassword
+
    i=mynickname_secondary
        mechanism = PLAIN
+
    U=myusername
</code>
+
    R=myrealname
To increase security, it is *strongly recommended* to replace in this file the line:
+
    L=10
<code>
+
    E=UTF-8 (Unicode)
        mechanism = PLAIN
+
    F=118
</code>
+
    D=0
with:
+
    S=ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
<code>
+
</pre>
        mechanism = DH-BLOWFISH
 
</code>
 
  
You can now connect via <tt>Tor</tt>+<tt>SASL</tt> to the <tt>FreeNode-TorSASL</tt> network you just created.
+
You can now connect via <tt>Tor</tt>+<tt>SASL</tt> to the newly created network.
  
Note: In some circumstances, probably due to the latency of the <tt>tor</tt> network, the connection might be slow or difficult.
+
== References ==
 +
<references />
  
  
 
----
 
----
 
''[ Document edited by: [[User:Alexus|alexus]] ]''
 
''[ Document edited by: [[User:Alexus|alexus]] ]''

Latest revision as of 15:37, 28 October 2020

The information contained in this mini-guide is current as of: 27/10/2020.

The text in this page was last modified on: 28/10/2020.

Introduction

The freenode network hosts a lot of IRC (Internet Relay Chat) channels dedicated to free software: #gnu, #fsf, #libreplanet and many others.

Users can login to freenode using an anonymous nickname or using a registered and verified NickServ account.[1]

IRC clients can connect to freenode using the common ways:

  • plain–text (unencrypted, on ports 6665-6667 and 8000-8002, with or without a registered account))[2]
  • TLS–encrypted (encrypted channel, on ports 6697, 7000 and 7070, with or without a registered account)[3]

Using a registered account, you can also:

  • log in into freenode via SASL.[4]
    SASL authentication allows registered accounts to authenticate to services (NickServ) during the logon process, eliminating the need to identify themselves later (using the IRC command: /msg NickServ identify <password>)
  • connect to freenode via Tor with SASL EXTERNAL authentication via certificate–based TLS.[5]
    This mode (introduced in May 2019) uses the Next Gen Onion protocol[6] and ensures a much greater degree of security and privacy

The procedures for configuring the HexChat IRC client for the different ways of connecting to freenode are summarized below.

HexChat is a fork of XChat (no longer actively developed for many years) and is released under the GPL2 license.

Prerequisites

  • A GNU/Linux distribution :-)
  • The XChat (> = 2.8.4) package, properly installed on the system (the configurations described in this guide have been tested on version 2.14.2)
    Note — In distributions using deb packages, HexChat is installed with the command:
    $ sudo apt-get install hexchat
  • To verify server certificates when connecting with TLS protocol, the system must have an up-to-date set of root CA certificates (otherwise, the root certificate is downloaded from LetsEncrypt).
    Note — In distributions using deb packages, installing the package called ca-certificates or similar should be sufficient.
  • To use SASL authentication with a registered and verified freenode NickServ account, the system must have TLS support (install the openssl package) and the related encryption libraries.
    Warning — The packages required for TLS support may differ depending on your system.
  • To use the connection mode via Tor + SASL, Tor must be properly installed and its service must be running.
    Warning — It is strongly recommended to install an updated version of Tor (see the official Tor project repositories). At least Tor >= 0.3.5 is required.
    Note — For the installation and configuration of Tor, please see the relevant official guide.

HexChat: Plain–text or TSL–encrypted connection

  1. From the HexChat menu in HexChat, open the Network List window (Ctrl+S)
    Note — In this window it is possible to enter the "global" user information that can eventually be used for all the networks in the list (Nick name, Second choice, Real name, User name)
  2. Click on the Add button to create a new network, giving it a suitable identifier (eg FreeNode)
  3. Select the network you just created and click on the Edit… button
    • select the Servers tab
    • click on the Add button and set the server:[2]
      chat.freenode.net
  4. Set the connection parameters:
    • Connect to selected server olny: DO NOT CHECK
    • Connect to this network automatically: set as desired
    • Bypass proxy server: CHECK
      Note — Depending on the local network configuration in use, it may be necessary to NOT CHECK
    • Use SSL for all the servers on this network: CHECK
      Note — This sets TSL–encrypted[3] mode (recommended) instead of plain–text
    • Accept invalid SSL certificates: DO NOT CHECK
  5. Enter user information specific to this connection
    (or CHECK the Use global user information box to use any "global" user information defined in the Network List window)
  6. Enter the parameters for authentication:
    • to log in with a generic nickname (without a registered account):
      • Login method: Default
      • Password: leave blank
    • to log in with a registered NickServ account:
      • Login method: NickServ (/MSG NickServ + password)
      • Password: set with the password corresponding to the User name of the registered NickServ account
    • to log in via SASL with a registered NickServ account[4]:
      • Login method: SASL (username + password)
      • Password: set with the password corresponding to the User name of the registered NickServ account
  7. Set the character set to use:
    • Character set: UTF-8
  8. By selecting the Autojoin channels tab, you can also add a list of channels that will be automatically accessed once connected.


Once the Network List window is closed, you can connect to the newly created freenode network.

The configuration of the new freenode network will appear in the ~/.config/hexchat/servlist.conf file and will look like this:

  • TSL–encrypted mode without authentication (without a registered account):
    N=FreeNode
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    E=UTF-8 (Unicode)
    F=6
    D=0
    S=chat.freenode.net
  • TSL–encrypted mode with NickServ authentication:
    N=FreeNode
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    P=mypassword
    L=1
    E=UTF-8 (Unicode)
    F=6
    D=0
    S=chat.freenode.net
  • TSL–encrypted mode with SASL authentication:
    N=FreeNode
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    P=mypassword
    L=6
    E=UTF-8 (Unicode)
    F=71
    D=1
    S=chat.freenode.net

HexChat: Connection via Tor+SASL

The connection to freenode via Tor+SASL takes place through a Tor hidden service (that uses the recent Next Gen Onion protocol):
ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion

To avoid any abuse, the service offered by freenode requires a registered and verified NickServ account, which must be authenticated in SASL EXTERNAL (or ECDSA-NIST256P-CHALLENGE) mode via TLS&ndashencrypted using a special certificate associated with the same account.[5]

To be able to connect to freenode via Tor+SASL it is therefore necessary to satisfy some additional prerequisites:

  1. have a registered and verified NickServ freenode account [1]
  2. associate a specific TLS certificate to the same account[7]


A convenient way to prepare and associate the certificate is the procedure described below[7]:

  • create the certificate and view its fingerprint by executing the commands from the terminal:
    $ openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1096 -nodes -out freenode.pem -keyout freenode.pem
    $ openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1
Attention - The certificate is valid for about 3 years. It will therefore have to be regenerated upon expiration.
  • make the certificate available to HexChat, by running the commands from the terminal:
    $ mkdir ~/.config/hexchat/certs/
    $ mv freenode.pem ~/.config/hexchat/certs/freenode.pem
  • log into freenode using the TSL–encrypted mode described above
  • associate the certificate to the registered account by running the IRC command:
    /msg NickServ CERT ADD <fingerprint>
where <fingerprint> must be replaced with the certificate fingerprint as shown above.

Of course, HexChat must also be configured appropriately (note that, in this case, the client must be configured to use the local Tor proxy):

  1. From the HexChat menu in HexChat, open the Network List window (Ctrl+S)
    Note — In this window it is possible to enter the "global" user information that can eventually be used for all the networks in the list (Nick name, Second choice, Real name, User name)
  2. Click on the Add button to create a new network, giving it a suitable identifier (eg FreeNode-Tor)
  3. Select the network you just created and click on the Edit… button
    • select the Servers tab
    • click on the Add button and set the server:
      ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
  4. Set the connection parameters:
    • Connect to selected server olny: CHECK
    • Connect to this network automatically: set as desired
    • Bypass proxy server: DO NOT CHECK (in order to use the local Tor proxy)
    • Use SSL for all the servers on this network: CHECK (to set TSL–encrypted mode)
    • Accept invalid SSL certificates: DO NOT CHECK
  5. Enter user information specific to this connection (or CHECK the Use global user information box to use any "global" user information defined in the Network List window)
    Warning — The resulting User name must be that of the registered NickServ account!
  6. Enter the parameters for authentication:
    • Login method: SASL EXTERNAL (cert)
    • Password: field disabled (the certificate associated with the registered NickServ account will be used)
  7. Set the character set to use:
    • Character set: UTF-8
  8. By selecting the Autojoin channels tab, you can also add a list of channels that will be automatically accessed once connected.


The configuration of the new freenode network will appear in the ~/.config/hexchat/servlist.conf file and will look like this:

    N=FreeNode-Tor
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    L=10
    E=UTF-8 (Unicode)
    F=118
    D=0
    S=ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion

You can now connect via Tor+SASL to the newly created network.

References



[ Document edited by: alexus ]