Tip of the day: Almost every channel mode can be disabled. Don't like halfops? Use blacklist-module chanmodes/halfop;

Certificate fingerprint

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When you use SSL/TLS to connect to a server you can configure your IRC client to use a client certificate. Your client certificate results in something called a certificate fingerprint (or certfp) which is a string of hexadecimal values (SHA256). It is shown in WHOIS.

Certificate fingerprints can be used at a lot of places:

Configuring your client[edit]

  • Create an SSL/TLS client certificate if you don't have one already. Search the web for irc client certificate if you don't know how to do this.
  • Connect to IRC with your client, using your client certificate (consult your IRC client documentation)
  • On IRC simply WHOIS yourself and you will see a line like:
XYZ has client certificate fingerprint e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798

If you do not see a line stating a "client certificate fingerprint", then your IRC client is NOT configured correctly to use the SSL/TLS client certificate. Consult your IRC client documentation.

Using certfp in Services[edit]

  • Identify to your account and then use NS CERT ADD. You can view your current certfp for a services account via NS CERT LIST.

Adding the certfp in the config file[edit]

If e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798 is the certificate fingerprint, then you can use it:

    • In a password item: password "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798";
    • In a mask item: mask { certfp "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; }
    • In a security-group: security-group trusted_admins { certfp { e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; } }

Examples[edit]

Exempting from server bans[edit]

NOTE: This example is for UnrealIRCd 6.0.4 and higher

Use an except ban block so a trusted person can bypass most server bans (KLINE/GLINE/..) and other restrictions (maxperip, spamfilter, etc):

except ban {
    mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; }
    type all;
}

NOTE: The person is not exempt from ZLINE and GZLINE because these take effect before the certificate fingerprint is received.

More commands per second[edit]

This allows users to send more commands per second:

security-group flood-users {
    include-mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; }
}

set {
    anti-flood {
        flood-users {
            /* 100 means one command per 100ms. That is 10 commands/second.
             * The burst capability is always 10 times that, so 100 commands/second.
             */
            lag-penalty 100;
            lag-penalty-bytes 0;
        }
   }
}