CertFP

The recommended way to secure your nickserv account

Generating a cert

The following will generate a ed25519 compatible with ouch and most other ircds

openssl req -x509 -new -newkey ed25519 -sha256 -nodes -out ouch.pem -keyout ouch.pem

Finding your fingerprint

Once connected with your client configured to use the certificate, performing a whois on yourself will return your fingerprint

Adding fingerprint to nickserv

When logged into NickServ you can simply /msg nickserv cert add {fingerprint}

Client Specifics

ZNC

ZNC has a cert module that you can enable. Once enabled you can copy/paste your cert file ouch.pem into the Certificates portion of the web interface

weechat

Weechat uses the /set command to edit the network configuration, however, /fset is commonly used to check for specific options. For example, /fset sasl will return all the sasl options in weechat. After creating your cert .pem file, make a directory where your weechat configuration is stored called /certs (it doesn't matter what the name is) and put the file there. You can use %h/certs/client.pem as shorthand.

If you are using tor make sure the tor fingerprint is set, not the fingerprint derived from your .pem file. The following options need to be /set in weechat:

irc.server.<network name>.sasl_mechanism external
irc.server.<network name>.sasl_password <password>
irc.server.<network name>.sasl_username <username>

irc.server.<network name>.tls on
irc.server.<network name>.tls_cert %h/certs/client.pem
irc.server.<network name>.tls_fingerprint A4BC80696DAC936677DE0DCEA429D3B985C8A67449C5E54EB773BE5F5FBE9ECD
irc.server.<network name>.tls_verify on

If you aren't using tor you can leave the tls_fingerprint option empty.

hexchat

TODO