TLS

To use SSL/TLS you are going to want to go to the server settings for your client.  I use iset to change settings.  If you don’t have iset, you can install it with the instructions below:

Installing iset

  1.  Type /script and hit enter
  2.  At the script menu, either navigate to iset or type iset and hit enter to use the script filter.
  3.  Once you’ve selected iset, press ‘i‘ and hit enter.
  4.  Now you should be able to run /iset

Assuming you now have iset, you should be able to simply type the name of your server and hit enter to get to the server settings.  In my case, I use the filter ‘freenode‘ because I named my connection something that makes sense.

Using iset

When inside of the iset menu, you can select any value you wish to edit with the arrow keys.  Once a desired value is selected, press ALT+Enter to pre-populate the text to set it in the command line.  You can edit it as you wish, and press Enter to update the value.

If that doesn’t work (I’ve seen ALT+Enter bug out before with certain window managers), you can still type the text manually.  You’ll type /set blah.blah.blah.blah value

To toggle the value of a boolean, (on/off) press ALT+Space.

Setting the TLS port

For the address, you are going to want to set a TLS port after the freenode address.  You cannot use TLS unless you do this.

freenode provides SSL client access on all servers, on ports 6697, 7000 and 7070. Users connecting over SSL will be given user mode +Z, and is using a secure connection will appear in WHOIS (a 671 numeric).

I opted for port 6697, and set that accordingly.  Set a TLS port after the value for “irc.server.{servername}.addresses”.  You should know how to do this using iset and the above instructions.

ssl port

 

 

 

This is what you should see now.

Turning SSL/TLS on and setting the key size

Next, turn SSL on and set the Diffie-Hellman key size to something that makes you feel good about security.  I chose 2048 bytes for pretty much no particular reason.

key size

 

 

 

Other Settings

Ensure ssl_verify is turned on for the best security

/set irc.server.freenode.ssl_verify on

You can also customize your cipher suite using priority strings from gnutls.  I prioritized good security with the following string, which enables the 192-bit and 128-bit secure ciphers, and allows only TLS 1.2 (which does work on freenode)

/set irc.server.freenode.ssl_priorities "SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2"

Reconnect

That should do it.  Do /reconnect freenode and you should now have mode +Z in channels and be happily communicating on an encrypted line!

Notes

If you’re behind some kind of corporate firewall (i.e. you’re at work or school), don’t be surprised if this fails.  Why this is blocked is beyond me, but I’ve had mixed luck connecting to IRC servers on work and school networks.  Sometimes not using a secure connection is the only connection you can make, so keep that in mind.