Piero V.

Certificate auth on WeeChat with a passphrase

In the latest months, I have been using IRC almost daily.

Before, I had used it only a few times. I only knew that this protocol is old, actually older than me 😄.

And I immediately saw that it lacks many of the features of modern systems.

Certificate authentication

One above all is registration and authentication. Many networks implement it through the NickServ user.

However, the authentication would involve sending the password as a message. Therefore, another mechanism based on a self-signed certificate is often preferred.

I am on OFTC, and t hey have a guide, which I initially followed (except for the algorithm: I changed rsa:2048 with ed25519).

Beware that this command does not ask for a passphrase! This was good enough for me since I was running HexChat on my PC, on which I use full-disk encryption.

You may want to encrypt the private key instead, and it is best to do it at the creation time.

Offline messages

But sadly, IRC does not have a feature that many (me included) take for granted today: offline messages.

The IRC way to do so is using another server. Either you run the client there, or you run a bouncer. I chose the former because it seemed easier to get started with, so I am not commenting on the latter option.

There are many “server-friendly” clients. From what I understood, the most popular ones are irssi and WeeChat.

Both of them are command-line-based. This means that you SSH-in on your server, start a tmux/screen session, and then start the IRC client.

As an alternative, there are also some web-based clients. For example, recently, I heard of The Lounge, but it is not on the Debian repo, like WeeChat’s web frontend.

Eventually, I chose WeeChat because of this answer on Quora. After reading it, I also tried and switched to fish, but that is another story 😂.

Encrypting the existing key

The system where I run my IRC client does not have FDE for various reasons. Therefore, I did not want to leave the certificate there unencrypted.

The certificate itself is a standard PEM file, and it can contain encrypted keys.

The problem was finding a way to add a passphrase to the existing one. And OpenSSL being a complex command does not help.

Did I say PEM? Well, the first step actually is getting back the .key again if you do not have it anymore.

Luckily enough, .pem are just ASCII files, so you can just extract the part of the file that looks like this:


At this point, the command to run is:

openssl pkcs8 -topk8 -outform PEM -in your.key -out your-encrypted-key.key

After running it, you need to replace the clear-text key in the old .pem with the new encrypted one.

I crafted it with the help of the command man page and with a certain amount of trial-and-error. This page lists the possible additional arguments and their defaults, as well. However, I do not want to suggest any changes for two reasons:

  1. the best parameters change over time, while these instructions may remain valid for longer;
  2. I do not consider myself the best person to give security recommendations.

Though, I can tell you that you do not need a passphrase you can remember. I generated a random password with this command:

openssl rand -base64 length

Then, I saved it in WeeChat’s storage for secrets.

A secure secret storage

WeeChat offers a database for passwords and similar secrets, but it is not encrypted by default!

However, turning encryption on is easy, and once you do it, WeeChat will ask you the passphrase whenever you launch it.

You can do that with this command:

/secure passphrase your-passphrase

After that, if you open ~/.weechat/sec.conf, you will not notice any differences. This confused me quite a lot, but it is expected if you have not stored any passwords yet.

So, you can save your certificate’s password with the following command:

/secure set ssl_password my_password

ssl_password is arbitrary and can be replaced by whatever you prefer.

If you open sec.conf again, you will notice that it will also contain this line:

__passphrase__ = on

This means that you set the passphrase successfully. WeeChat does not need any other info, not even the hash of the passphrase! And this is pretty cool if you ask me 😎️.

You can find other information about this topic on WeeChat’s documentation.

Putting the pieces together

So, now you have an encrypted certificate and its password in safe storage. You need to make everything work together.

First, you have to copy the certificate in ~/.weechat/certs/ (you can choose the name you prefer; for example, your-nickname.pem or network-name.pem).

Then you have to issue these two commands on WeeChat:

/set irc.server.your-network.ssl_cert %h/certs/your-cert.pem
/set irc.server.your-network.ssl_password "${sec.data.ssl_password}"

And you are done!

Final notes

WeeChat is a program that can be configured in many different ways.

It also supports plugins. For example, you could get notifications when mentioned in chats over the network.

When I started using it, I felt as I did when I started with Linux. It has been a while since I had to read a manual to start using new software.