New options have been added to check SSL certificates when connecting to IRC servers, thanks to kolter's patch:

  • weechat.network.gnutls_ca_file: path to file with certificate authorities (by default: "%h/ssl/CAs.pem")
  • irc.server.xxx.ssl_cert: ssl certificate file used to automatically identify your nick (CertFP on oftc for example, see below)
  • irc.server.xxx.ssl_dhkey_size: replaces old option weechat.network.gnutls_dh_prime_bitsmax_lines, new default value is 2048 (safer than old default value which was 512)
  • irc.server.xxx.ssl_verify: check that the ssl connection is fully trusted (on by default)

Please note that ssl_verify is on by default, so verification is now stricter, and may fail even if it was ok with previous versions of WeeChat.

First example: connect to oftc and check certificate:

  • import certificate:
    • mkdir ~/.weechat/ssl
    • wget -O ~/.weechat/ssl/CAs.pem http://www.spi-inc.org/ca/spi-cacert.crt
  • in weechat:
    • /connect oftc

Note: it is possible to concatenate many CAs in file CAs.pem.

Second example: connect to oftc using CertFP (certificate to auto identify your nick):

  • create certificate:
    • openssl req -nodes -newkey rsa:2048 -keyout nick.key -x509 -days 365 -out nick.cer
    • cat nick.cer nick.key > ~/.weechat/ssl/nick.pem
  • in weechat:
    • /set irc.server.oftc.ssl_cert "%h/ssl/nick.pem"
    • /connect oftc
    • /msg nickserv cert add

For more information, please look at http://www.oftc.net/oftc/NickServ/CertFP.