I finally got around to setting up TLS to the IRC servers that I use. It is
incredible that this is not default or that there does not even seem to be
conventional ports. Freenode
suggests 6697,
7000, and 7070, but there is an independent draft standard
for 6697.
Another server I connect to is protected by a wildcard domain certificate, but WeeChat did not want to verify the certificate:
09:09:28 xmission -- | irc: reconnecting to server... 09:09:28 xmission -- | irc: connecting to server irc.xmission.com/6697 (SSL)... 09:09:28 xmission -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange 09:09:28 xmission -- | gnutls: receiving 1 certificate 09:09:28 xmission -- | - certificate[1] info: 09:09:28 xmission -- | - subject `CN=*.xmission.com,O=XMission Networks 09:09:28 xmission -- | LLC,L=Salt Lake City,ST=Utah,C=US', issuer 09:09:28 xmission -- | `CN=DigiCert SHA2 Secure Server CA,O=DigiCert 09:09:28 xmission -- | Inc,C=US', serial 09:09:28 xmission -- | 0x081a17d0d17cfe5abd82f38b2396070e, RSA key 09:09:28 xmission -- | 2048 bits, signed using RSA-SHA256, activated 09:09:28 xmission -- | `2016-02-09 00:00:00 UTC', expires `2019-04-12 09:09:28 xmission -- | 12:00:00 UTC', key-ID 09:09:28 xmission -- | `sha256:a9fbe66d6490806d4c827c9a22f63c3985ffc689af85c737d060458f605b121d' 09:09:28 xmission =!= | gnutls: peer's certificate is NOT trusted 09:09:28 xmission =!= | gnutls: peer's certificate issuer is unknown 09:09:28 xmission =!= | irc: TLS handshake failed 09:09:28 xmission =!= | irc: error: Error in the certificate.
I'm not particularly interested in why the CA certificate bundle that ships with openssl or certifi (mozilla) (both of which I tried) do not automagically enable all the encryptions for this domain since I was able to find an easy workaround for my use case. The workaround involves downloading the certificate and extracting the fingerprint.
$ SERVER=irc.xmission.com $ PORT=6697 $ echo -n | openssl s_client -connect $SERVER:$PORT 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 SHA256 Fingerprint=D9:47:5E:E4:69:24:09:7D:57:B9:5A:A1:2F:B6:3D:94:C5:19:A2:85:46:47:F8:02:3B:24:DF:0A:87:08:33:C9
WeeChat needs the fingerprint without the delimiters (:) at the byte
boundaries, so (I'm sure the multiple sed and openssl commands could be
factored but that's ostensibly too much effort for the present need):
$ echo -n | openssl s_client -connect $SERVER:$PORT 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | sed 's/SHA256 Fingerprint=//' | sed 's/://g' D9475EE46924097D57B95AA12FB63D94C519A2854647F8023B24DF0A870833C9
Now, if you randomly happen to have the exact same problem that triggered this descent of inquiry as I, execute the following commands in WeeChat:
/set irc.server.xmission.address irc.xmission.com/6697 /set irc.server.xmission.ssl on /set irc.server.xmission.ssl_fingerprint D9475EE46924097D57B95AA12FB63D94C519A2854647F8023B24DF0A870833C9 /save ... /reconnect xmission ... 13:02:10 xmission -- | irc: disconnected from server 13:02:10 xmission -- | irc: connecting to server irc.xmission.com/6697 (SSL)... 13:02:10 xmission -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange 13:02:10 xmission -- | gnutls: receiving 1 certificate 13:02:10 xmission -- | - certificate[1] info: 13:02:10 xmission -- | - subject `CN=*.xmission.com,O=XMission Networks 13:02:10 xmission -- | LLC,L=Salt Lake City,ST=Utah,C=US', issuer 13:02:10 xmission -- | `CN=DigiCert SHA2 Secure Server CA,O=DigiCert 13:02:10 xmission -- | Inc,C=US', serial 13:02:10 xmission -- | 0x081a17d0d17cfe5abd82f38b2396070e, RSA key 13:02:10 xmission -- | 2048 bits, signed using RSA-SHA256, activated 13:02:10 xmission -- | `2016-02-09 00:00:00 UTC', expires `2019-04-12 13:02:10 xmission -- | 12:00:00 UTC', key-ID 13:02:10 xmission -- | `sha256:a9fbe66d6490806d4c827c9a22f63c3985ffc689af85c737d060458f605b121d' 13:02:10 xmission -- | gnutls: certificate fingerprint matches 13:02:10 xmission -- | irc: connected to irc.xmission.com/6697 (198.60.22.35)
You will have to verify whether your IRC server respects
port 6697 as the TLS port.
