Configuring Client SSL Certificates for Irssi

  1. Copy the cert you made into your ~/.irssi directory. Make sure the filesystem permissions restrict read access for the file to just you.

    mv mynick.pem ~/.irssi/mynick.pem

  2. (optional) To enable strict SSL validation, you may also need to tell irssi to trust the UTN-USERFirst-Hardware certificate. Either install the appropriate package (as explained on the IRC Servers page) or download the certificate.

    Copy or move the downloaded certificate PEM file to your ~/.irssi directory.

    mv UTN-USERFirst-Hardware.crt ~/.irssi/UTN-USERFirst-Hardware.pem

    You shouldn't need the following; the server should provide the Gandi intermediary cert when you connect. If you have trouble with it though, you will need to convert the downloaded file into PEM format using: openssl x509 -inform der -in GandiStandardSSLCA.crt -out gandi.pem and prepend gandi.pem to UTN-USERFirst-Hardware.pem, avoiding any extra newlines.

  3. We will add/edit a network for freenode. We'll creatively call it freenode. It's case-sensitive, and the name doesn't matter as long as it's used consistently.

    /network add -whois 1 -msgs 4 -kicks 1 -modes 4 freenode

    You might also add parameters for -nick, -user, and/or -realname. See /help network for details.

  4. In irssi, each network can support multiple servers, but we only need to add one:

    /server add -auto -ssl -ssl_cert ~/.irssi/mynick.pem -ssl_verify -ssl_cafile ~/.irssi/UTN-USERFirst-Hardware.pem -network freenode chat.freenode.net 6697

    If you skipped step two above, then omit the -ssl_verify and -ssl_cafile options.

  5. The next time you /connect freenode or start irssi, you will automatically be connected to freenode using your SSL certificate.

  6. After connecting with the updated configuration, /whois yournick will show:

    -!-           : is using a secure connection -!-           : has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195

    (Your fingerprint will be different, of course.)

  7. You can tell NickServ to automatically identify based on this certificate fingerprint by doing:

    /msg nickserv CERT ADD

If you know of any additions or corrections, or would like to contribute improvements, contact us at the email below.

Copyright © 2002 – 2013 by freenode Creative Commons License
Comments to email address: support at freenode dot net