The Freenode IRC network allows clients to pass an SSL certificate and automatically identify their nick with NickServ upon logging in. Freenode offers instructions on creating the SSL certificate, as well as how to configure SSL authentication on several IRC clients, but it does not describe the setup for Emacs ERC.
I managed to get this working after some failed attempts following example code on the web. The problem is that an argument is missing from the
gnutls-cli command described in other people’s Emacs init files that one comes across through a search. If one just runs
gnutls-cli --x509certfile ~/.ssl/mynick.cert -p 6697 irc.freenode.net from the command line, one sees in the output:
Successfully sent 0 certificate(s) to server. Of course, without a certificate sent to the server, the automatic NickServ identification will fail.
The correct way is to add the
--x509keyfile argument, i.e.
gnutls-cli --x509certfile ~/.ssl/mynick.cert --x509keyfile ~/.ssl/mynick.key -p 6697 irc.freenode.net When this is done, the output will show
Successfully sent 1 certificate(s) to server. Then, NickServ identification will run automatically assuming that you have followed Freenode’s instructions and told NickServ what your certificate’s SHA1 fingerprint is.
A lot of people’s Emacs init files define
tls-program as a global variable and specify the certificate to pass there. This is bad for privacy, as while one wants to disclose one’s identity to Freenode, you probably don’t want to potentially tell every other server contacted through SSL who you are. Therefore, the best thing to do is create a function to call ERC, and use Emacs’
let statement to define a value of
tls-program that will only be valid for ERC:
(defun start-irc ()
"Connect to IRC over SSL and pass a certificate for nick identification."
(let ((tls-program '("gnutls-cli --x509certfile ~/.ssl/mynick.cert --x509keyfile ~/.ssl/mynick.key -p %p %h")))
(erc-tls :server "irc.freenode.net" :port 6697
:nick "mynick" :full-name "mynick")))
For Freenode, as with all SSL connections through Emacs, users may also want to consider the certificate pinning function that GnuTLS provides, see Jens Lechtenbörger’s Certificate Pinning for GNU Emacs.