This is an old revision of the document!
This is a guide to help you configure your IRC client software to connect to AfterNET using SSL encryption. Our primary focus is on xchat, because that is what we use most, but it should help you get going with stunnel, mirc and other software as well.
Our SSL encryption support is intended to protect you from those on your local network intercepting passwords or reading your conversations. Essentially we want you to be able to login to your account(s) over wifi and speak poorly of your boss without fear of snooping. It is NOT end-to-end security and you should never use IRC to discuss company secrets or anything truly of value. Our servers do not encrypt messages between each other! The government, and people with backbone network access to our hosting facilities could still spy on you.
Our servers have SSL enabled on port 9998. So to begin with, you simply configure your IRC client to connect to the server named ssl.afternet.org on port 9998 and select the 'use encryption' checkbox. In addition, you must either follow the steps below, or also check the 'accept invalid certificate' box as well.
For technical reasons (see Man in the middle attack) it is important that your IRC client be able to verify that the host your connecting to is really truly AfterNET, and not a host pretending to be AfterNET. This is accomplished using signed 'certificates' issued to each server by someone you trust. The certificate allows you to be certain when you connect to AfterNET, that no one is intercepting the messages in the middle.
In your web browser, there is a list of respectable certificate authorities who verify the ownership of companies and issue certificates to them for a fee. IRC software doesn't come with trusted authorities. Server certificates are signed by us using our own AfterNET Certificate Authority, which only works if you add it to your computers trusted list in advance.
You can choose to not bother with installing our CA on your system, but then you have to configure your IRC software to accept invalid certificates, and though more complicated to do so, your connections could still be monitored.
The 'silverex' build of xchat for windows looks for certificates in the default openssl location which ends up being “C:\usr\local\ssl\cert\”, in a file named 90511bdb.0. We have created a simple installer to add this automatically for you, simply download and run afternet_ca_installer.msi
NOTE In silverex xchat 2.6.8-1 the ssl cert directory is “C:\some\openssl\dir\ssl\cert\”. We have notified them of this bug location, and they will be fixing it with the next release. In the mean time, you will need to make that directory tree and copy the cert to it from C:\usr\local\ssl\cert\.
If you install X chat on another drive besides C, you need to put the certificate on that drive instead.
If you have some more native windows IRC client that uses the built-in windows CA scheme, you could download afternetca.cer directly. After saving it to your desktop, right click it, and say “install”, accept the default locations when prompted, and click yes to the warning about the risks of trusting our CA.
Copy the CA certificate to /etc/ssl/certs/90511bdb.0 or wherever your openssl install is configured to store its trusted certificates. (sometimes /usr/local/ssl/certs/ )
NOTE: you must rename the file (or symlink it) from afternetca.cer to 90511bdb.0 for it to work. The certificate is looked for by this name because that is its 'fingerprint'.
The following will allow ChatZilla to use a self signed certificate which it will frequently find invalid.
Create an Alias using:
/alias certif eval getService("@mozilla.org/embedcomp/window-watcher\;1","nsIWindowWatcher").openWindow(null,"chrome://pippki/content/certManager.xul","mozilla:certmanager", "", null)
Then run:
/certif
This will open Mozilla's CertManager Module. Select the Servers Tab and add the Server Name.