Configuring XChat to support SSL access to freenode
freenode now
supports SSL access since their recent migration to
ircd-seven.
However, XChat won't work "out of the box" unless you allow "Accept invalid SSL certificate"-which defeats one of the key advantages of using SSL in the first place.
freenode's IRC Servers documentation has a section titled "Accessing freenode Via SSL," but it doesn't tell you which certificates you really need. That's partially answered on the FAQ page, which has a link to GandiStandardSSLCA. But they don't tell you this is actually an intermediate certificate that depends on two other Comodo certificates:
So you may need to install up to three trusted certificates before SSL will work properly.
One "gotcha"-if you have certificate files that look like binary data, they're probably in DER format. XChat uses OpenSSL, which wants to see PEM (base64) format instead. Fortunately, it's easy to convert formats:
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
(You shouldn't need to specify -outform PEM since that's supposed to be the default.)
If you drop a certificate into /etc/ssl/certs/, you need to symlink its hash value as well:
openssl x509 -in GandiStandardSSLCA.pem -noout -hash
This will print eight hex digits. Append .0 to that and use the result as the link name:
ln -s GandiStandardSSLCA.pem 3a57595e.0
However, XChat won't work "out of the box" unless you allow "Accept invalid SSL certificate"-which defeats one of the key advantages of using SSL in the first place.
freenode's IRC Servers documentation has a section titled "Accessing freenode Via SSL," but it doesn't tell you which certificates you really need. That's partially answered on the FAQ page, which has a link to GandiStandardSSLCA. But they don't tell you this is actually an intermediate certificate that depends on two other Comodo certificates:
- UTNAddTrustServerCA a/k/a UTN_USERFirst_Hardware_Root_CA
- AddTrustExternalCARoot a/k/a AddTrust_External_Root
So you may need to install up to three trusted certificates before SSL will work properly.
One "gotcha"-if you have certificate files that look like binary data, they're probably in DER format. XChat uses OpenSSL, which wants to see PEM (base64) format instead. Fortunately, it's easy to convert formats:
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
(You shouldn't need to specify -outform PEM since that's supposed to be the default.)
If you drop a certificate into /etc/ssl/certs/, you need to symlink its hash value as well:
openssl x509 -in GandiStandardSSLCA.pem -noout -hash
This will print eight hex digits. Append .0 to that and use the result as the link name:
ln -s GandiStandardSSLCA.pem 3a57595e.0