Difference between revisions of "SSL CA import instructions"

From Chat4AllFAQ
Jump to: navigation, search
m (Windows builds)
(irssi)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Category:EN]]
 
[[Category:EN]]
 
This article describes in detail how you can import our Certificate Authority Certificate into your IRC client. If the client you are using is not listed, please contact us in #help and we'll see if we can find out how to import it for you.
 
This article describes in detail how you can import our Certificate Authority Certificate into your IRC client. If the client you are using is not listed, please contact us in #help and we'll see if we can find out how to import it for you.
 +
 +
=CA download=
 +
You can download the CA certificate from [https://www.chat4all.org/ircd-certificates/index.html our secure website].
 +
This should link you to https://www.chat4all.org/ircd-certificates/chat4all-ca.pem
  
 
=mIRC=
 
=mIRC=
Screenshot for reference: http://vbprog.fixato.net/ss/irc/mirc_ca.PNG
+
Screenshot for reference: http://vbprog.zonexus.net/ss/irc/mirc_ca.PNG
#Download the CA certificate from [https://www.chat4all.org/ircd-certificates/index.html our secure website].
+
#[[#CA_download|Download the certificate]]
 
#Save it somewhere you can easily find it. 'My Documents' or the mIRC directory are good options.
 
#Save it somewhere you can easily find it. 'My Documents' or the mIRC directory are good options.
 
#If you are already using a trusted authorities file for one or more different networks, then you need to [[#Append_CAs_in_Windows|append the downloaded certificate]] to the existing trusted authorities file. If you need a reminder on where this file is located; the trusted authorities button has the path in it.
 
#If you are already using a trusted authorities file for one or more different networks, then you need to [[#Append_CAs_in_Windows|append the downloaded certificate]] to the existing trusted authorities file. If you need a reminder on where this file is located; the trusted authorities button has the path in it.
Line 14: Line 18:
 
=Xchat=
 
=Xchat=
 
Note: Xchat does not have an in-client method for checking CAs; it uses OpenSSL's paths to read CAs. See [http://forum.xchat.org/viewtopic.php?f=2&t=5529] for the source of this information.
 
Note: Xchat does not have an in-client method for checking CAs; it uses OpenSSL's paths to read CAs. See [http://forum.xchat.org/viewtopic.php?f=2&t=5529] for the source of this information.
Download the certificate, then follow the directions specific to your OS.<br />
+
[[#CA_download|Download the certificate]], then follow the directions specific to your OS.<br />
 
==Windows builds==
 
==Windows builds==
Screenshot for reference: http://vbprog.fixato.net/ss/irc/xchat_ca.PNG
+
Screenshot for reference: http://vbprog.zonexus.net/ss/irc/xchat_ca.PNG
 
#Save the CA certificate somewhere you can easily find (''%appdata%\X-Chat 2'' or ''My Documents'' are good choices)
 
#Save the CA certificate somewhere you can easily find (''%appdata%\X-Chat 2'' or ''My Documents'' are good choices)
 
#Right click My Computer and hit Properties. Go to the Advanced tab and hit Environment Variables.
 
#Right click My Computer and hit Properties. Go to the Advanced tab and hit Environment Variables.
Line 28: Line 32:
  
 
==Linux builds==
 
==Linux builds==
#Install the certificate to the '''certs''' directory in the location given by openssl version -d and Xchat should pick it up.
+
#Install the [[#CA_download|the certificate]] to the '''certs''' directory in the location given by openssl version -d and Xchat should pick it up.
 
#There seems to be no way to do this on a per-user basis so that root access is not required (or at least I cannot find it)
 
#There seems to be no way to do this on a per-user basis so that root access is not required (or at least I cannot find it)
  
 
=weechat=
 
=weechat=
#Locate your current trusted authorities file in weechat: /set weechat.network.gnutls_ca_file
+
#Locate your current '''trusted authorities file''' in WeeChat:  
 +
  /set weechat.network.gnutls_ca_file
 
#This will probably mention ''"%h/ssl/CAs.pem"'', which means it's stored in ''ssl/CAs.pem'' in the weechat homedir (''~/.weechat'' by default)
 
#This will probably mention ''"%h/ssl/CAs.pem"'', which means it's stored in ''ssl/CAs.pem'' in the weechat homedir (''~/.weechat'' by default)
#Download the certificate
+
#[[#CA_download|Download the certificate]]
 
#Save it in ''~/.weechat/ssl/CAs.pem'' or [[#Append_CAs_in_Linux|append it to this file]]
 
#Save it in ''~/.weechat/ssl/CAs.pem'' or [[#Append_CAs_in_Linux|append it to this file]]
 
#Set the ''ssl_verify'' option for your Chat4All server entry to "on":
 
#Set the ''ssl_verify'' option for your Chat4All server entry to "on":
 
   /set irc.server.Chat4All.ssl_verify on
 
   /set irc.server.Chat4All.ssl_verify on
Now you should be able to connect to our SSL enabled ports without problems. You might need to restart your weechat before it uses the new certificates authorities file.
+
Now you should be able to connect to our SSL enabled ports without problems.
 +
''You might need to restart your weechat before it uses the updated certificates authorities file.''
  
 
=irssi=
 
=irssi=
#Download our CA certificate file to ~/.irssi/ca.cert.pem
+
#[[#CA_download|Download the certificate]] to ~/.irssi/chat4all-ca.pem
#Add ''-ssl_cafile ~/.irssi/ca.cert.pem'' to your irssi server configuration:
+
#Add ''-ssl_cafile ~/.irssi/chat4all-ca.pem'' to your irssi server configuration:
   /server add -auto -ssl -ssl_cafile ~/.irsi/ca.cert.pem -network Chat4All irc.chat4all.org 7001
+
   /server add -auto -ssl -ssl_cafile ~/.irssi/chat4all-ca.pem -network Chat4All irc.chat4all.org 7001
 
#Connect to the network/server:
 
#Connect to the network/server:
 
   /connect irc.chat4all.org
 
   /connect irc.chat4all.org
Line 63: Line 69:
 
If you have CAs from other networks (like Freenode), you can append our CA Certificate to the existing file.
 
If you have CAs from other networks (like Freenode), you can append our CA Certificate to the existing file.
  
Assume our CA certificate is called ''ca.cert.pem'', the existing trusted certificate authorities file is called ''CAs.pem'' and they are both in the same directory.
+
Assume our CA certificate is called ''chat4all-ca.pem'', the existing trusted certificate authorities file is called ''CAs.pem'' and they are both in the same directory.
  
 
Execute the following commands:
 
Execute the following commands:
Line 70: Line 76:
  
 
   #Concatenate our certificate into the existing trusted certificates authorities
 
   #Concatenate our certificate into the existing trusted certificates authorities
   cat ca.cert.pem >> CAs.pem
+
   cat chat4all-ca.pem >> CAs.pem

Latest revision as of 19:40, 3 March 2014

This article describes in detail how you can import our Certificate Authority Certificate into your IRC client. If the client you are using is not listed, please contact us in #help and we'll see if we can find out how to import it for you.

CA download

You can download the CA certificate from our secure website. This should link you to https://www.chat4all.org/ircd-certificates/chat4all-ca.pem

mIRC

Screenshot for reference: http://vbprog.zonexus.net/ss/irc/mirc_ca.PNG

  1. Download the certificate
  2. Save it somewhere you can easily find it. 'My Documents' or the mIRC directory are good options.
  3. If you are already using a trusted authorities file for one or more different networks, then you need to append the downloaded certificate to the existing trusted authorities file. If you need a reminder on where this file is located; the trusted authorities button has the path in it.
  4. Within mIRC, go to: Tools > Options, then in the left list navigate to Connect > Options.
  5. Provided you have installed SSL as described above, there should be an SSL button here. Click that
  6. Click on the empty button under 'Trusted authorities file'.
  7. Select the file you downloaded, and you are done. A reload of mIRC is not required; you should be able to connect.

Xchat

Note: Xchat does not have an in-client method for checking CAs; it uses OpenSSL's paths to read CAs. See [1] for the source of this information. Download the certificate, then follow the directions specific to your OS.

Windows builds

Screenshot for reference: http://vbprog.zonexus.net/ss/irc/xchat_ca.PNG

  1. Save the CA certificate somewhere you can easily find (%appdata%\X-Chat 2 or My Documents are good choices)
  2. Right click My Computer and hit Properties. Go to the Advanced tab and hit Environment Variables.
  3. Create a User Variable (or System if you prefer it to be available systemwide should you have a multiuser computer) with the following attributes:
    1. Variable: SSL_CERT_FILE
    2. Value: C:\Path\Where\You\Saved\Your\Cert.pem

It is recommended to reload Xchat since you are modifying an environment variable, and you should no longer see this:

 * * Verify E: unable to get local issuer certificate.? (20)

If not, then Xchat successfully recognized the CA.

Linux builds

  1. Install the the certificate to the certs directory in the location given by openssl version -d and Xchat should pick it up.
  2. There seems to be no way to do this on a per-user basis so that root access is not required (or at least I cannot find it)

weechat

  1. Locate your current trusted authorities file in WeeChat:
 /set weechat.network.gnutls_ca_file
  1. This will probably mention "%h/ssl/CAs.pem", which means it's stored in ssl/CAs.pem in the weechat homedir (~/.weechat by default)
  2. Download the certificate
  3. Save it in ~/.weechat/ssl/CAs.pem or append it to this file
  4. Set the ssl_verify option for your Chat4All server entry to "on":
 /set irc.server.Chat4All.ssl_verify on

Now you should be able to connect to our SSL enabled ports without problems. You might need to restart your weechat before it uses the updated certificates authorities file.

irssi

  1. Download the certificate to ~/.irssi/chat4all-ca.pem
  2. Add -ssl_cafile ~/.irssi/chat4all-ca.pem to your irssi server configuration:
 /server add -auto -ssl -ssl_cafile ~/.irssi/chat4all-ca.pem -network Chat4All irc.chat4all.org 7001
  1. Connect to the network/server:
 /connect irc.chat4all.org

That's all!

Quassel

Pending implementation according to Bug-report 464 at Quassel's website

You might find some more instructions in this SSL post at weechat.org

Append CAs in Windows

If you have CAs from other networks (like Freenode), you can append our Certificate Authority Certificate to the existing file.

  1. Open our CA certificate in a text editor such as Notepad and copy the contents.
  2. Open the existing trusted authorities file in another text editor and paste our copied CA certificate at the top of the file.
  3. Save the trusted authorities file.

Append CAs in Linux

If you have CAs from other networks (like Freenode), you can append our CA Certificate to the existing file.

Assume our CA certificate is called chat4all-ca.pem, the existing trusted certificate authorities file is called CAs.pem and they are both in the same directory.

Execute the following commands:

 #Backup the current trusted certificate authorities
 cp CAs.pem CAs.pem.backup
 #Concatenate our certificate into the existing trusted certificates authorities
 cat chat4all-ca.pem >> CAs.pem