Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

IRC servers uptime status Webchat uptime status

CertFP

The recommended way to secure your nickserv account

Generating a cert

The following will generate a ed25519 compatible with ouch and most other ircds

openssl req -x509 -new -newkey ed25519 -sha256 -nodes -out ouch.pem -keyout ouch.pem

Finding your fingerprint

Once connected with your client configured to use the certificate, performing a whois on yourself will return your fingerprint

Adding fingerprint to nickserv

When logged into NickServ you can simply /msg nickserv cert add {fingerprint}

Client Specifics

ZNC

ZNC has a cert module that you can enable. Once enabled you can copy/paste your cert file ouch.pem into the Certificates portion of the web interface

weechat

Weechat uses the /set command to edit the network configuration, however, /fset is commonly used to check for specific options. For example, /fset sasl will return all the sasl options in weechat. After creating your cert .pem file, make a directory where your weechat configuration is stored called /certs (it doesn’t matter what the name is) and put the file there. You can use %h/certs/client.pem as shorthand.

If you are using tor make sure the tor fingerprint is set, not the fingerprint derived from your .pem file. The following options need to be /set in weechat:

irc.server.<network name>.sasl_mechanism external
irc.server.<network name>.sasl_password <password>
irc.server.<network name>.sasl_username <username>

irc.server.<network name>.tls on
irc.server.<network name>.tls_cert %h/certs/client.pem
irc.server.<network name>.tls_fingerprint A4BC80696DAC936677DE0DCEA429D3B985C8A67449C5E54EB773BE5F5FBE9ECD
irc.server.<network name>.tls_verify on

If you aren’t using tor you can leave the tls_fingerprint option empty.

hexchat

Place your cert at ~/.config/hexchat/certs/<NetworkName>.pem (Windows: %APPDATA%\HexChat\certs\<NetworkName>.pem), where <NetworkName> matches the network’s name exactly as it appears in HexChat’s Network List. If no network-named file exists, HexChat falls back to client.pem for every network. The cert must not be password protected, so the same openssl command from Generating a cert above works as-is.

Then, in the Network List, select ouch and click Edit, set the port to 6697, make sure SSL is enabled, and set “Login method” to SASL EXTERNAL (cert).

As with weechat, if you are connecting via tor make sure your client is configured with the network’s TLS fingerprint, not the fingerprint derived from your own .pem file.