Group: LibrePlanet Italia/miniguida-freenode.en

The information contained in this mini-guide is current as of: 27/10/2020.

The text in this page was last modified on: 28/10/2020.

Introduction

The freenode network hosts a lot of IRC (Internet Relay Chat) channels dedicated to free software: #gnu, #fsf, #libreplanet and many others.

Users can login to freenode using an anonymous nickname or using a registered and verified NickServ account.^[1]

IRC clients can connect to freenode using the common ways:

• plain–text (unencrypted, on ports 6665-6667 and 8000-8002, with or without a registered account))^[2]
• TLS–encrypted (encrypted channel, on ports 6697, 7000 and 7070, with or without a registered account)^[3]

Using a registered account, you can also:

• log in into freenode via SASL.^[4]
  SASL authentication allows registered accounts to authenticate to services (NickServ) during the logon process, eliminating the need to identify themselves later (using the IRC command: /msg NickServ identify <password>)
• connect to freenode via Tor with SASL EXTERNAL authentication via certificate–based TLS.^[5]
  This mode (introduced in May 2019) uses the Next Gen Onion protocol^[6] and ensures a much greater degree of security and privacy

The procedures for configuring the HexChat IRC client for the different ways of connecting to freenode are summarized below.

HexChat is a fork of XChat (no longer actively developed for many years) and is released under the GPL2 license.

Prerequisites

• A GNU/Linux distribution :-)
• The XChat (> = 2.8.4) package, properly installed on the system (the configurations described in this guide have been tested on version 2.14.2)
  Note — In distributions using deb packages, HexChat is installed with the command:
  $ sudo apt-get install hexchat
• To verify server certificates when connecting with TLS protocol, the system must have an up-to-date set of root CA certificates (otherwise, the root certificate is downloaded from LetsEncrypt).
  Note — In distributions using deb packages, installing the package called ca-certificates or similar should be sufficient.
• To use SASL authentication with a registered and verified freenode NickServ account, the system must have TLS support (install the openssl package) and the related encryption libraries.
  Warning — The packages required for TLS support may differ depending on your system.
• To use the connection mode via Tor + SASL, Tor must be properly installed and its service must be running.
  Warning — It is strongly recommended to install an updated version of Tor (see the official Tor project repositories). At least Tor >= 0.3.5 is required.
  Note — For the installation and configuration of Tor, please see the relevant official guide.

HexChat: Plain–text or TSL–encrypted connection

1. From the HexChat menu in HexChat, open the Network List window (Ctrl+S)
   Note — In this window it is possible to enter the "global" user information that can eventually be used for all the networks in the list (Nick name, Second choice, Real name, User name)
2. Click on the Add button to create a new network, giving it a suitable identifier (eg FreeNode)
3. Select the network you just created and click on the Edit… button
   • select the Servers tab
   • click on the Add button and set the server:^[2]
     chat.freenode.net
4. Set the connection parameters:
   • Connect to selected server olny: DO NOT CHECK
   • Connect to this network automatically: set as desired
   • Bypass proxy server: CHECK
     Note — Depending on the local network configuration in use, it may be necessary to NOT CHECK
   • Use SSL for all the servers on this network: CHECK
     Note — This sets TSL–encrypted^[3] mode (recommended) instead of plain–text
   • Accept invalid SSL certificates: DO NOT CHECK
5. Enter user information specific to this connection
   (or CHECK the Use global user information box to use any "global" user information defined in the Network List window)
6. Enter the parameters for authentication:
   • to log in with a generic nickname (without a registered account):
     • Login method: Default
     • Password: leave blank
   • to log in with a registered NickServ account:
     • Login method: NickServ (/MSG NickServ + password)
     • Password: set with the password corresponding to the User name of the registered NickServ account
   • to log in via SASL with a registered NickServ account^[4]:
     • Login method: SASL (username + password)
     • Password: set with the password corresponding to the User name of the registered NickServ account
7. Set the character set to use:
   • Character set: UTF-8
8. By selecting the Autojoin channels tab, you can also add a list of channels that will be automatically accessed once connected.

Once the Network List window is closed, you can connect to the newly created freenode network.

The configuration of the new freenode network will appear in the ~/.config/hexchat/servlist.conf file and will look like this:

• TSL–encrypted mode without authentication (without a registered account):

    N=FreeNode
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    E=UTF-8 (Unicode)
    F=6
    D=0
    S=chat.freenode.net

• TSL–encrypted mode with NickServ authentication:

    N=FreeNode
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    P=mypassword
    L=1
    E=UTF-8 (Unicode)
    F=6
    D=0
    S=chat.freenode.net

• TSL–encrypted mode with SASL authentication:

    N=FreeNode
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    P=mypassword
    L=6
    E=UTF-8 (Unicode)
    F=71
    D=1
    S=chat.freenode.net

HexChat: Connection via Tor+SASL

The connection to freenode via Tor+SASL takes place through a Tor hidden service (that uses the recent Next Gen Onion protocol):
ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion

To avoid any abuse, the service offered by freenode requires a registered and verified NickServ account, which must be authenticated in SASL EXTERNAL (or ECDSA-NIST256P-CHALLENGE) mode via TLS&ndashencrypted using a special certificate associated with the same account.^[5]

To be able to connect to freenode via Tor+SASL it is therefore necessary to satisfy some additional prerequisites:

1. have a registered and verified NickServ freenode account ^[1]
2. associate a specific TLS certificate to the same account^[7]

A convenient way to prepare and associate the certificate is the procedure described below^[7]:

• create the certificate and view its fingerprint by executing the commands from the terminal:
  

    $ openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1096 -nodes -out freenode.pem -keyout freenode.pem
    $ openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1

Attention - The certificate is valid for about 3 years. It will therefore have to be regenerated upon expiration.

• make the certificate available to HexChat, by running the commands from the terminal:
  

    $ mkdir ~/.config/hexchat/certs/
    $ mv freenode.pem ~/.config/hexchat/certs/freenode.pem

• log into freenode using the TSL–encrypted mode described above
• associate the certificate to the registered account by running the IRC command:
  

    /msg NickServ CERT ADD <fingerprint>

where <fingerprint> must be replaced with the certificate fingerprint as shown above.

Of course, HexChat must also be configured appropriately (note that, in this case, the client must be configured to use the local Tor proxy):

1. From the HexChat menu in HexChat, open the Network List window (Ctrl+S)
   Note — In this window it is possible to enter the "global" user information that can eventually be used for all the networks in the list (Nick name, Second choice, Real name, User name)
2. Click on the Add button to create a new network, giving it a suitable identifier (eg FreeNode-Tor)
3. Select the network you just created and click on the Edit… button
   • select the Servers tab
   • click on the Add button and set the server:
     ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion
4. Set the connection parameters:
   • Connect to selected server olny: CHECK
   • Connect to this network automatically: set as desired
   • Bypass proxy server: DO NOT CHECK (in order to use the local Tor proxy)
   • Use SSL for all the servers on this network: CHECK (to set TSL–encrypted mode)
   • Accept invalid SSL certificates: DO NOT CHECK
5. Enter user information specific to this connection (or CHECK the Use global user information box to use any "global" user information defined in the Network List window)
   Warning — The resulting User name must be that of the registered NickServ account!
6. Enter the parameters for authentication:
   • Login method: SASL EXTERNAL (cert)
   • Password: field disabled (the certificate associated with the registered NickServ account will be used)
7. Set the character set to use:
   • Character set: UTF-8
8. By selecting the Autojoin channels tab, you can also add a list of channels that will be automatically accessed once connected.

The configuration of the new freenode network will appear in the ~/.config/hexchat/servlist.conf file and will look like this:

    N=FreeNode-Tor
    I=mynickname
    i=mynickname_secondary
    U=myusername
    R=myrealname
    L=10
    E=UTF-8 (Unicode)
    F=118
    D=0
    S=ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion

You can now connect via Tor+SASL to the newly created network.

References

[ Document edited by: alexus ]