SSL for ERC

ERC is fully equipped to connect to SSL/TLS-enabled servers (e.g. OFTC and Freenode) however, Certificate Authentication support is rather untested.

For the purposes of this guide, head on over to the following OFTC page to get an idea on how to create the necessary certificates

To get started, ensure that SSL/TLS support is enabled in your emacs init file:

1
2
3
(require 'tls)
(require 'erc)

This allows us to set the tls-program variable that calls external tools openssl or gnutls-cli to perform the actual connection.

To see how the variable is initally defined:
[F1] V tls-program

You’ll notice that there are several options for tls-program. tls-program will cycle through the commands until a connection is established with the fallback.

Note that while you can add CA-chain and accompanying keys to gnutls-cli, ERC may fail to recognise them, and will proceed to create the secure connection using gnutls without certificate authentication.

I personally use OpenSSL:

1
2
3
4
5
6
7
8
(setq tls-program '("openssl s_client -connect %h:%p -no_ssl2 -ign_eof
-CAfile /home/ootput/.private/certs/CAs.pem
-cert /home/ootput/.private/certs/nick.pem"
"gnutls-cli --priority secure256
--x509cafile /home/ootput/.private/certs/CAs.pem
--x509certfile /home/ootput/.private/certs/nick.pem -p %p %h"
"gnutls-cli --priority secure256 -p %p %h"))

Please note that your distro’s implementation of libgnutls may also be unsuitable for CA-chaining.

Use of gnutls-cli is recommended for the future as most linux projects have sought to replace openssl dependencies with gnutls.

Now, assuming you’ve already enabled ‘erc, we can continue to work with the supplied erc-tls command:

1
2
3
4
5
6
7
8
9
10
(defun start-irc ()
"Connect to IRC."
(interactive)
(erc-tls :server "irc.oftc.net" :port 6697
:nick "ootput" :full-name "ootput")
(erc :server "irc.freenode.net" :port 6667
:nick "ootput" :full-name "ootput")
(setq erc-autojoin-channels-alist '(("freenode.net" "#emacs" "#screen" "#ion")
("oftc.net" "#debian"))))

This will establish connection to OFTC on port 6697 (SSL), but more importantly, it will allow us to use certificates for transparent Nickserv auth.

; M-x start-irc

Enjoy your SSL-encrypted IRC session!