The Charybdis 4.1 upgrade imposed some changes on the TLS configuration of the servers which change the way public certificates are fingerprinted across the networks. This was changed to fix inter-server authentication but also affects How to add your new fingerprintBecause the servers are not currently setup using the new mechanism, you will need to compute the certificate by hand. This can be done with the
Note that only the more recent versions of GnuTLS give out SHA256 fingerprints. The above works on Debian stable with GnuTLS 3.5. If you are running older releases of GnuTLS (for example 3.4 only gives out a SHA1 checksum), you might need to use OpenSSL instead, for example:
This fingerprint can then be added to the configuration through
And you’re done! Alternatively, you can just wait for the authentication to fail and then authenticate with your password and use this to add the new certificate:
The above will naturally not work until we have performed the migration to the new fingerprint mechanism. The certificate fingerprint mechanism migration will occur in two weeks from publication of this notice, before the certification expiry date (2018-07-03). It can be done without upgrading to 4.1 so it’s not because a server is running version 4.1 that it uses the new mechanism, nor that a 3.5 server means it can’t use the new mechanism either. How to configure CERTFP authenticationEven if you do not currently use CERTFP to authenticate with the IRC server, you might want to consider adding that to your configuration anyways. It makes it possible to avoid storing cleartext passwords in your IRC configuration files and is generally considered more secure against bruteforce attack than password-based authentication. Even more so if you do not store the password in your configuration files: then you don’t have to remember the password and can use a much stronger one. We have previously suggested following the OFTC guide to configure CERTFP, but when the new changes become live in two weeks, the configuration will be even simpler. All you need to do is generate a private key and add it to your IRC client’s configuration. This procedure here is an example using First generate a RSA private key:
Then generate the fingerprint to send to
or with OpenSSL:
Send it to
And add the certificate to your configuration, for example:
The latter configuration and the path to the certificate file will change according to your IRC client configuration. Problems?If you have any problems with this, come and chat with us in the |
|
|
|
For irc.koumbit.net:
This server uses
|
|
The |
|