Freenode via SSL/SASL:ECDSA-NIST256P-CHALLENGE – Ubuntu & Irssi

posted in: ECDSA, Freenode, Irssi, Sasl, Ssl | 0

Useful links:

a.) This article assumes you already have SASL over SSL with DH-BLOWFISH or PLAIN.
a-1.)“Should the SSL stream become compromised in some manner,
PLAIN would make obtaining a user’s password as easy as forcing a reconnect,
while the other mechanisms provide additional layers of security.”

b.) You are reading this because you want to enforce a secure path over IRC with Irssi.
b-1.) Start your first process here. [Creating an SSL Certificate] – 3 Stages.
b-2.) Follow Freenode’s article to set SASL over SSL. [Configuring SASL for irssi]
c.) End goal is to have SASL over SSL(certs,cafile,verify) + ECDSA.
Right, let’s just get to it. In your home folder perform the following in terminal.

1.) wget
2.) unzip — this creates a ‘ecdsatool-master‘ folder.
3.) Jump inside the folder ‘cd ecdsatool-master‘ and run $ ‘./
4.) Run ‘./configure --prefix=$HOME/bin
5.) Run ‘make -j
6.) Run ‘make install

—————–SECOND PART——————–
1.) Add a line for your shell in your PATH. This can be done many ways depending on your shell.
2.) Test your ECDSATOOL. Should have similar results as below.
:~$ ecdsatool
usage: ecdsatool applet [options]
the following applets are available: keygen pubkey keyinfo sign usage

3.) In your ‘./irssi‘ folder create a certs(‘mkdir certs‘) directory. Browse into it, ‘cd certs‘.
4.) Generate your .pem cert using ‘ecdsatool keygen myNickFreenode.pem
5.) Back out of ‘certs‘ folder up one level to ‘/.irssi‘.

—————–THIRD PART——————–
1.) If you don’t have a ‘scripts‘ folder and an ‘autorun‘ folder.
2.) While under ‘./irssi‘. Create a scripts(‘mkdir scripts‘) folder. Browse it(‘cd scripts‘).
3.) Create an autorun(‘mkdir autorun‘) folder and Browse it.
4.) Grab ‘‘ while inside the ‘autorun‘ folder. ‘wget
5.) The version of '‘ should be ‘$VERSION = "1.5";‘. Look at line 8 in that perl script.

—————–FOURTH PART——————–
1.) You take this code found below and merge it with freenode’s code(‘‘)
3.) Open your ‘’ with your favorite editor. Make sure you have Version 1.5, google it.
4.) Towards the bottom of the script you will see the following:
pack("n/a*Z*a*", $pubkey, $u, $crypted);
# If DH-BLOWFISH is not available and you want to see why, uncomment this line:
# Irssi::print($@) if ($@);

5.) Create a new line after that last ‘};‘ and before the ‘# If DH-BLOWFISH‘ line.
6.) Paste that entire ‘‘ from ‘kaniini/ecdsatool @ github
7.) Save file and exit your editor.

—————–FIFTH PART——————–
1.) Back out of ‘scripts/autorun‘ folder. Browse into ‘certs‘ folder.
2.) Run ‘ecdsatool pubkey myNickFreenode.pem‘. Save key for ‘NickServ‘ to use later.
3.) Run ‘:~$ irssi
4.) ‘‘ should load without errors.
5.) You should still be identified + cloaked from your previous setup. If not don’t join any channels.
6.) Issue this command on irssi: Change accordingly for your config to match network name.
/sasl set freenode myNick ~/.irssi/certs/myNickFreenode.pem ECDSA-NIST256P-CHALLENGE

7.) Issue ‘/sasl save‘. A ‘sasl.auth‘ file will be created in ‘~/.irssi’
b.) Quit irssi and check sasl.auth, inside it:
freenode myNick certs/myNickFreenode.pem ECDSA-NIST256P-CHALLENGE
8.) You can edit the config file, the sasl.auth file, or any other within ./irssi folder to match your needs.

1.) Start irssi again.
2.) Grab that pubkey you generated on the fifth section.
3.) Link the key with your account.
/msg NickServ set property pubkey RANDOM-KEY-PREVIOUSLY-GENERATED
4.) NickServ should confirm the key.
-NickServ(NickServ@services.)- Metadata entry pubkey added.
5.) Disconnect from the network, quit irssi, start irssi again.
6.) Once connected, scrolling up the status bar should show a result of the SSL->SASL:ECDSA.
b.) Something similar to this:

-!- Irssi: CLICAP: supported by server: account-notify extended-join identify-msg multi-prefix sasl
-!- Irssi: CLICAP: requesting: multi-prefix sasl
-!- Irssi: CLICAP: now enabled: multi-prefix sasl
-!- myNick!myNick@about/whatever/regular/mynick myNick You are now logged in as myNick.
-!- Irssi: SASL authentication successful
-!- Welcome to the freenode Internet Relay Chat Network myNick

7.) A simple ‘/whois myNick‘ should return similar results.
01:30:35 -!- : is using a secure connection
01:30:35 -!- : has client certificate fingerprint SOME-LONG-RANDOMLY-GENERATED-FINGERPRINT-APPROX~40chars

You should be set.


Useful links: