So you’ve opened up your IRC client and connected to a server.  Now what?  You do this:

/msg nickserv identify $uper$ecretPa$$word

If you’re having to authenticate like this every time, SASL is just what you need!


SASL stands for Simple Authentication and Security Layer, and is a framework for authentication and data security.  If you’d like to read more about SASL, click here.  We won’t go too in-depth with the technical details of how SASL functions here, but we will walk through the setup with Weechat.

Supported SASL Authentication Methods

Also, aside from plaintext or external cert authentication (which freenode doesn’t support), none of these are standard SASL authentication methods.

So, you’re basically left with a choice between using a plaintext password, or the nist256p challenge.  While none of these seem like great options, but I feel like nist256p is still a step in the right direction.


Now that you understand all your options are essentially shitty, let’s set up SASL!

First, we need to generate a private key using OpenSSL.  We need to use the following curve: prime256v1: X9.62/SECG curve over a 256 bit prime field

openssl ecparam -name prime256v1 -genkey -out ~/.weechat/prime256.pem

This will generate a private key and save the key to ~/.weechat/prime256.pem

Now that you have your private key, we will extract the public key from it, and hand that to freenode for authentication.

Extract the base64 encoded public key with the following command:

openssl ec -noout -text -conv_form compressed -in ~/.weechat/prime256.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64

This is your public key.  Assuming you are connected and authenticated on freenode currently, set your public key with

/msg nickserv set pubkey AwdtVZR19Cw9gJjaz2ARLJCqBuNjvk1LJgTENV6g8N9J

Obviously, don’t use the public key I generated for this tutorial, use yours.  Now that your keys are setup, all you need to do is configure your client to use it!

Set the following:

/set irc.server.freenode.sasl_mechanism ecdsa-nist256p-challenge
/set irc.server.freenode.sasl_username "your_nickname"
/set irc.server.freenode.sasl_key "%h/prime256.pem"

Once you’ve done that, you’re ready to rock-n-roll, my friend.

/reconnect freenode

Happy SASLing!