Tip of the day: Check out Special users on how to give trusted users/bots more rights without making them IRCOp.

Certificate fingerprint

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

When you use SSL/TLS to connect to a server you can configure your IRC client to use a client certificate. Your client certificate results in something called a certificate fingerprint (or certfp) which is a string of hexadecimal values (SHA256). It is shown in WHOIS.

Certificate fingerprints can be used at a lot of places:

Configuring your client

  • Create an SSL/TLS client certificate if you don't have one already. Search the web for irc client certificate if you don't know how to do this.
  • Connect to IRC with your client, using your client certificate (consult your IRC client documentation)
  • On IRC simply WHOIS yourself and you will see a line like:
XYZ has client certificate fingerprint e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798

If you do not see a line stating a "client certificate fingerprint", then your IRC client is NOT configured correctly to use the SSL/TLS client certificate. Consult your IRC client documentation.

Using certfp in Services

  • Identify to your account and then use NS CERT ADD. You can view your current certfp for a services account via NS CERT LIST.

Adding the certfp in the config file

If e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798 is the certificate fingerprint, then you can use it:

    • In a password item: password "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798";
    • In a mask item: mask { certfp "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; }
    • In a security-group: security-group trusted_admins { certfp { e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; } }
    • In a Crule like: match_certfp('e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798')

See next section for examples.


Security group combining oper block and more

NOTE: This example is for UnrealIRCd 6.0.4 and higher

This example will:

  1. define a security-group with a certificate fingerprint
  2. use it in an oper block with auto-login
  3. exempt that user from (nearly) all server bans
security-group Admin1 { certfp "e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798"; }
oper Admin1 {
    auto-login yes;
    mask { security-group Admin1; }
    operclass netadmin-with-override;
    class opers;
except ban {
    mask { security-group Admin1; }
    type all;

Exempting from server bans

NOTE: This example is for UnrealIRCd 6.0.4 and higher

Use an except ban block so a trusted person can bypass most server bans (KLINE/GLINE/..) and other restrictions (maxperip, spamfilter, etc):

except ban {
    mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; }
    type all;

NOTE: The person is not exempt from ZLINE and GZLINE because these take effect before the certificate fingerprint is received.

More commands per second

This allows users to send more commands per second:

security-group flood-users {
    include-mask { certfp e74d46f19ff468f5e8e349cc285df96585ba4f16b64902e334e6e76afe76a798; }

set {
    anti-flood {
        flood-users {
            /* 100 means one command per 100ms. That is 10 commands/second.
             * The burst capability is always 10 times that, so 100 commands/second.
            lag-penalty 100;
            lag-penalty-bytes 0;

Note that IRCOps can already flood at full speed (no lag penalty).