What is Transport Layer Security (TLS)?
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS remains the most publicly visible.
The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., hybridirc.com) should have one or more of the following properties:
What is the difference between TLS and SSL?
TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), which was developed by Netscape. TLS version 1.0 actually began development as SSL version 3.1, but the name of the protocol was changed before publication in order to indicate that it was no longer associated with Netscape. Because of this history, the terms TLS and SSL are sometimes used interchangeably.
What does TLS do?
There are three main components to what the TLS protocol accomplishes: Encryption, Authentication, and Integrity.
- Encryption: hides the data being transferred from third parties.
- Authentication: ensures that the parties exchanging information are who they claim to be.
- Integrity: verifies that the data has not been forged or tampered with.
Connecting HybridIRC via TLS (SSL)
HybridIRC provides TLS client access on all servers, on port 6697. When connecting over TLS, "is using a secure connection" will be shown when you /WHOIS yourself (numeric reply 671).
In order to verify the server certificates on connection, some additional work may be required. First, ensure that your system has an up-to-date set of root CA certificates. On most linux distributions this will be in a package named something like ca-certificates. Many systems install these by default, but some (such as FreeBSD) do not. For FreeBSD, the package is named ca_root_nss, which will install the appropriate root certificates in /usr/local/share/certs/ca-root-nss.crt.
Certificate verification will generally only work when connecting to hybridirc.com. If your client thinks the server's certificate is invalid, make sure you are connecting to cloud.hybridirc.com rather than any other name that leads to HybridIRC.
For most clients this should be sufficient. If not, you can download the root certificate from LetsEncrypt.
Client TLS certificates are also supported, and may be used for identification to services. See this kb article. If you have connected with a client certificate, has client certificate fingerprint f1ecf46714198533cda14cccc76e5d7114be4195 (showing your certificate's SHA1 fingerprint in place of f1ecf46...) will appear in WHOIS (a 276 numeric).
Originally found at: https://freenode.net/kb/answer/chat#accessing-freenode-via-tls mirrored for HybridIRC users. © freenode.