Connecting to freenode using irssi

Question

This is arguably the same question as How to connect to freenode using Tor? except that the answers there seem to be outdated, as freenode now allows access via Tor again. However the instruction there is not clear to me. For example, it says in the end:

Note that due to the SSL certificates not matching the hidden service, you might have to disable the verification in your client. If your client supports key pinning, you can verify our Tor server's public key fingerprint:

E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D

You'll then want to tell your client to try the EXTERNAL mechanism. We lack comprehensive documentation for this, but it's a feature in most modern clients, so please check their docs for instructions for now.

I don't quite understand the first paragraph, and the second one is not very clear instruction to me...

Would anyone be able to give a step by step instruction as to how to connect to freenode via Tor using irssi (or any other client), especially how to set up the SASL with EXTERNAL mechanism and how this requires a client certificate to be generated and added to the NickServ?

Answer 1

After wrestling with this myself, here's what worked for me on Trisquel 7.

Ingredients:-

• Tor
• Torsocks
• irssi
• an irc nick registered with freenode (for the sake of example, the nick is "mary" and the password "m1nt_54uc3")

Recipe:-

1. Add the following line to the torrc file (/etc/tor/torrc)

   # For Freenode IRC
   mapaddress 10.40.40.40 freenodeok2gncmy.onion
   

   The address 10.40.40.40 is arbitrary, but it needs to be one that isn't going to be in use on your network.

2. Generate a client certificate and put it where irssi can find it

   $ openssl req -x509 -sha256 -new -newkey rsa:4096 -days 1000 -nodes \
                 -out FreenodeTor.pem -keyout FreenodeTor.pem
   Generating a 4096 bit RSA private key
   ...
   Common Name (e.g. server FQDN or YOUR name) []: mary
   $ mkdir -p ~/.irssi/certs
   $ mv FreenodeTor.pem ~/.irssi/certs/
   

   Set the "Common Name" to the registered nick (here, "mary"), the rest of the fields can be left blank (i.e. type .), but can probably be set to whatever you desire.

   Also note the validity period should be whatever makes sense to you; here we have set it to 1000 days.

3. Print out the certificate's fingerprint; remember it

   $ openssl x509 -in ~/.irssi/certs/FreenodeTor.pem -outform der \
     | sha1sum -b | cut -d' ' -f1
   

4. Connect to freenode over the normal internet and associate the certificate with the nick

   $ irssi
   [(status)] /connect irc.freenode.net
   [(status)] /msg NickServ identify <your password here>
   [(status)] /msg NickServ CERT ADD <fingerprint from step 3.>
   

5. Add a new network and server to irssi

   [(status)] /network add -sasl_username mary -sasl_password m1nt_54uc3 -sasl_mechanism EXTERNAL FreenodeTor
   [(status)] /server add -ssl -ssl_cert ~/.irssi/certs/FreenodeTor.pem -net FreenodeTor 10.40.40.40 6697
   

   This step didn't quite work correctly when I did it; I think because I left off -sasl_password. I had to go back and do a /network modify command to fix it. But don't worry, further below is what ~/.irssi/config should contain.

6. Add some info leakage prevention configuration

   [(status)] /ignore * CTCPS
   [(status)] /save
   [(status)] /quit
   

The next step is to start irssi with torsocks, but first check that the irssi config contains something like the following:-

servers = (
  ...
  {
    address = "10.40.40.40";
    chatnet = "FreenodeTor";
    port = "6697"; 
    use_tls = "yes";
    tls_cert = "~/.irssi/certs/FreenodeTor.pem";
    tls_verify = "no";
    autoconnect = "no";
  }
);

chatnets = {
  ...
  FreenodeTor = {  
    type = "IRC";  
    max_kicks = "1";
    max_msgs = "4";
    max_whois = "1";
    sasl_mechanism = "external";
    sasl_username = "mary";
    sasl_password = "m1nt_54uc3";
  };
};

settings = {
  core = { real_name = "mary"; user_name = "mary"; nick = "mary"; };
  ...
};
ignores = ( { level = "CTCPS"; } );

The final step:-

$ torsocks irssi
[(status)] /connect FreenodeTor

et voila! You should see something like:-

22:02 -!- Irssi: Connecting to 10.40.40.40 [10.40.40.40] port 6697
22:02 -!- Irssi: Certificate Chain:
22:02 -!- Irssi:   Subject: CN: zettel.freenode.net
22:02 -!- Irssi:   Issuer:  C: US, O: Let's Encrypt, CN: Let's Encrypt Authority X3
22:02 -!- Irssi:   Subject: C: US, O: Let's Encrypt, CN: Let's Encrypt Authority X3
22:02 -!- Irssi:   Issuer:  O: Digital Signature Trust Co., CN: DST Root CA X3
22:02 -!- Irssi: Protocol: TLSv1.2 (256 bit, DHE-RSA-AES256-GCM-SHA384)
22:02 -!- Irssi: EDH Key: 2048 bit DH
22:02 -!- Irssi: Public Key: 4096 bit RSA, valid from Mar  6 05:01:00 2017 GMT to Jun  4 05:01:00 2017 GMT
22:02 -!- Irssi: Public Key Fingerprint:  E0:1B:31:80:56:D9:78:C4:2B:2D:3F:B2:DB:81:AB:03:15:59:BF:04:7E:31:E8:60:5F:98:07:A1:BB:8F:A3:0D (SHA256)
22:02 -!- Irssi: Certificate Fingerprint: B3:2B:29:0D:01:45:8F:3A:08:78:81:21:8B:72:CF:E4:9F:B1:53:D2:DB:AB:52:0B:38:2A:8F:94:ED:87:65:BA (SHA256)
22:02 -!- Irssi: Connection to 10.40.40.40 established
22:02 !zettel.freenode.net *** Looking up your hostname...
22:02 !zettel.freenode.net *** Couldn't look up your hostname
22:02 -!- mary!mary@127.0.0.1 mary You are now logged in as mary.
22:02 -!- SASL authentication succeeded
22:02 !zettel.freenode.net *** Spoofing your IP
22:02 -!- Welcome to the freenode Internet Relay Chat Network mary
22:02 -!- Your host is zettel.freenode.net[127.0.0.1/12345], running version ircd-seven-1.1.4

References:-

• Freenode CertFP - an alternative to password-based authentication
• Freenode SASL - SASL config for various clients
• Freenode SASL irssi - SASL config for Irssi
• Freenode Tor - Freenode Tor connection details
• Tor Wiki irssi - Configuring irssi to connect through Tor (dated, but still interesting)