IRC

Psuedo-Secure Authentication With Weechat

October 30, 2017 IRC No comments

So you’ve opened up your IRC client and connected to a server.  Now what?  You do this:

/msg nickserv identify $uper$ecretPa$$word

If you’re having to authenticate like this every time, SASL is just what you need!

SASL

SASL stands for Simple Authentication and Security Layer, and is a framework for authentication and data security.  If you’d like to read more about SASL, click here.  We won’t go too in-depth with the technical details of how SASL functions here, but we will walk through the setup with Weechat.

Supported SASL Authentication Methods

Also, aside from plaintext or external cert authentication (which freenode doesn’t support), none of these are standard SASL authentication methods.

So, you’re basically left with a choice between using a plaintext password, or the nist256p challenge.  While none of these seem like great options, but I feel like nist256p is still a step in the right direction.

Using SASL With ECDSA-NIST256P-CHALLENGE

Now that you understand all your options are essentially shitty, let’s set up SASL!

First, we need to generate a private key using OpenSSL.  We need to use the following curve: prime256v1: X9.62/SECG curve over a 256 bit prime field

openssl ecparam -name prime256v1 -genkey -out ~/.weechat/prime256.pem

This will generate a private key and save the key to ~/.weechat/prime256.pem

Now that you have your private key, we will extract the public key from it, and hand that to freenode for authentication.

Extract the base64 encoded public key with the following command:

openssl ec -noout -text -conv_form compressed -in ~/.weechat/prime256.pem | grep '^pub:' -A 3 | tail -n 3 | tr -d ' \n:' | xxd -r -p | base64

This is your public key.  Assuming you are connected and authenticated on freenode currently, set your public key with

/msg nickserv set pubkey AwdtVZR19Cw9gJjaz2ARLJCqBuNjvk1LJgTENV6g8N9J

Obviously, don’t use the public key I generated for this tutorial, use yours.  Now that your keys are setup, all you need to do is configure your client to use it!

Set the following:

/set irc.server.freenode.sasl_mechanism ecdsa-nist256p-challenge
/set irc.server.freenode.sasl_username "your_nickname"
/set irc.server.freenode.sasl_key "%h/prime256.pem"

Once you’ve done that, you’re ready to rock-n-roll, my friend.

/reconnect freenode

Happy SASLing!

Secure IRC Communication With Weechat

October 29, 2017 IRC No comments

TLS

To use SSL/TLS you are going to want to go to the server settings for your client.  I use iset to change settings.  If you don’t have iset, you can install it with the instructions below:

Installing iset

  1.  Type /script and hit enter
  2.  At the script menu, either navigate to iset or type iset and hit enter to use the script filter.
  3.  Once you’ve selected iset, press ‘i‘ and hit enter.
  4.  Now you should be able to run /iset

Assuming you now have iset, you should be able to simply type the name of your server and hit enter to get to the server settings.  In my case, I use the filter ‘freenode‘ because I named my connection something that makes sense.

Using iset

When inside of the iset menu, you can select any value you wish to edit with the arrow keys.  Once a desired value is selected, press ALT+Enter to pre-populate the text to set it in the command line.  You can edit it as you wish, and press Enter to update the value.

If that doesn’t work (I’ve seen ALT+Enter bug out before with certain window managers), you can still type the text manually.  You’ll type /set blah.blah.blah.blah value

To toggle the value of a boolean, (on/off) press ALT+Space.

Setting the TLS port

For the address, you are going to want to set a TLS port after the freenode address.  You cannot use TLS unless you do this.

freenode provides SSL client access on all servers, on ports 6697, 7000 and 7070. Users connecting over SSL will be given user mode +Z, and is using a secure connection will appear in WHOIS (a 671 numeric).

I opted for port 6697, and set that accordingly.  Set a TLS port after the value for “irc.server.{servername}.addresses”.  You should know how to do this using iset and the above instructions.

ssl port

 

 

 

This is what you should see now.

Turning SSL/TLS on and setting the key size

Next, turn SSL on and set the Diffie-Hellman key size to something that makes you feel good about security.  I chose 2048 bytes for pretty much no particular reason.

key size

 

 

 

Other Settings

Ensure ssl_verify is turned on for the best security

/set irc.server.freenode.ssl_verify on

You can also customize your cipher suite using priority strings from gnutls.  I prioritized good security with the following string, which enables the 192-bit and 128-bit secure ciphers, and allows only TLS 1.2 (which does work on freenode)

/set irc.server.freenode.ssl_priorities "SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2"

Reconnect

That should do it.  Do /reconnect freenode and you should now have mode +Z in channels and be happily communicating on an encrypted line!

Notes

If you’re behind some kind of corporate firewall (i.e. you’re at work or school), don’t be surprised if this fails.  Why this is blocked is beyond me, but I’ve had mixed luck connecting to IRC servers on work and school networks.  Sometimes not using a secure connection is the only connection you can make, so keep that in mind.