This is an old revision of the document!


Connecting with SSL Encryption

Introduction

This is a guide to help you configure your IRC client software to connect to AfterNET using SSL encryption. Our primary focus is on xchat, because that is what we use most, but it should help you get going with stunnel, mirc and other software as well.

Why encryption

Our SSL encryption support is intended to protect you from those on your local network intercepting passwords or reading your conversations. Essentially we want you to be able to login to your account(s) over wifi and speak poorly of your boss without fear of snooping. It is NOT end-to-end security and you should never use IRC to discuss company secrets or anything truly of value. The government, and people with backbone network access to our hosting facilities could still spy on you.

Enabling encryption

Our servers have SSL enabled on ports 6697 and 9998. So to begin with, you simply configure your IRC client to connect to the server named irc.afternet.org on port 6697 or 9998 and select the 'use encryption' checkbox. In addition, you must either follow the steps below, or also check the 'accept invalid certificate' box as well.

Verifying identity

Why?

For technical reasons (see Man in the middle attack) it is important that your IRC client be able to verify that the host your connecting to is really truly AfterNET, and not a host pretending to be AfterNET. This is accomplished using signed 'certificates' issued to each server by someone you trust. The certificate allows you to be certain when you connect to AfterNET, that no one is intercepting the messages in the middle.

In your web browser, there is a list of respectable certificate authorities who verify the ownership of companies and issue certificates to them for a fee. IRC software doesn't come with trusted authorities. Server certificates are signed by us using our own AfterNET Certificate Authority, which only works if you add it to your computers trusted list in advance.

You can choose to not bother with installing our CA on your system, but then you have to configure your IRC software to accept invalid certificates, and though more complicated to do so, your connections could still be monitored.

Installing The AfterNET CA

Windows - Silverex build of x-chat

The 'silverex' build of xchat for windows looks for certificates in the default openssl location which ends up being “C:\usr\local\ssl\cert\”, in a file named 90511bdb.0. We have created a simple installer to add this automatically for you, simply download and run afternet_ca_installer.msi

NOTE In silverex xchat 2.6.8-1 the ssl cert directory is “C:\some\openssl\dir\ssl\cert\”. We have notified them of this bug location, and they will be fixing it with the next release. In the mean time, you will need to make that directory tree and copy the cert to it from C:\usr\local\ssl\cert\.

If you install X chat on another drive besides C, you need to put the certificate on that drive instead.

Windows - WDK build of x-chat

In xchat-wdk, there is a cert.pem file in X-Chat's program files folder. Open it with an editor, and append the afternet.cer file to the end of it (combine them together)

Put the cert in the xchat application data directory (usually C:\users\username\appdata\roaming\X-Chat2 or in explorer you can use %APPDATA% magic). Name it %APPDATA%\X-Chat 2\AfterNET.pem. (thanks to Viktor for letting us know the correct way to do this)

Windows - mIRC:

mIRC has no native SSL support - the mIRC help file for SSL refers you to OpenSSL which are the libraries it needs.

To connect to networks using mIRC and SSL first you need to download OpenSSL and install it.

You can install it to either the default mIRC (C:\Program Files\mIRC\) or System32 (C:\Windows\System32\)folders.

Next time you restart mIRC it should detect the presence of SSL libraries, and in the Options > Connect/Options screen the SSL button should be un-greyed to detect that it is enabled.

All you then need to do is to change the port number - Afternet SSL is on ports 6697 and 9998, and preceding the port number with a + sign indicates to mIRC that it is to utilise the OpenSSL libraries.

For your connection settings to work then your network list entry should look like this:

You will need to accept the Afternet SSL certificate when you connect, as it is self-signed.

More information about SSL and mIRC can be found on the mIRC website.

Windows - Other

If you have some more native windows IRC client that uses the built-in windows CA scheme, you could download afternetca.cer directly. After saving it to your desktop, right click it, and say “install”, accept the default locations when prompted, and click yes to the warning about the risks of trusting our CA.

Linux - X-chat

Copy the CA certificate to /etc/ssl/certs/90511bdb.0 or wherever your openssl install is configured to store its trusted certificates. (sometimes /usr/local/ssl/certs/ )

NOTE: you must rename the file (or symlink it) from afternetca.cer to 90511bdb.0 for it to work. The certificate is looked for by this name because that is its 'fingerprint'.

Update: This nolonger seems to work in modern debian based linux distributions (mint, ubuntu, etc). these directions instead suggest adding the CA file to /usr/share/ca-certificates/ and adding a line to /etc/ca-certificates.conf. Then running update-ca-certificates.

ChatZilla:

The following will allow ChatZilla to use a self signed certificate which it will frequently find invalid.

Create an Alias using:

 /alias certif eval getService("@mozilla.org/embedcomp/window-watcher\;1","nsIWindowWatcher").openWindow(null,"chrome://pippki/content/certManager.xul","mozilla:certmanager", "", null) 

Then run:

 /certif 

This will open Mozilla's CertManager Module. Select the Servers Tab and add the Server Name.