problems torifying weechat

[Rosika2]

Hi all, 👋

my system: Linux Lite 6.2, 64 bit

I want to torify weechat, i.e. running weechat via the tor network.

For this I installed tor and checked the respective service was running. All o.k. so far.

Further steps I took:

in weechat:

/server add libera irc.libera.chat/6697 -autoconnect -ssl
/connect libera

outside of weechat:

 mkdir ~/.weechat/certs
 openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1096 -nodes -out libera.pem -keyout libera.pem
 mv libera.pem ~/.weechat/certs

in weechat:

 /set irc.server.libera.addresses irc.libera.chat/6697
 /set irc.server.libera.ssl on
 /set irc.server.libera.ssl_verify on
 /set irc.server.libera.ssl_cert %h/certs/libera.pem
 /set irc.server.libera.sasl_mechanism external
 /set irc.server.libera.addresses "libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion/6697"
 /proxy add tor socks5 127.0.0.1 9050
 /set irc.server.libera.proxy "tor"
 /set irc.server.libera.ssl_verify off
 /save

I also added: "MapAddress palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion" to my torrc.

Still I cannot get connected: 🤔

there´s the following error which seems to prevent connection:
│15:38:55 libera =!= | gnutls: der Hostname im Zertifikat "libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion" stimmt NICHT überein

I.e.: Hostname does not match.

Can anybody help me establish a tor connection in weechat?
I have run out of ideas... 😐

Thanks a lot in advance.

Many greetings from Rosika 🙂

[weechatter]

try : /set irc.server.libera.ssl_verify off

(latest beta: /set irc.server.libera.tls_verify off)

Its better to /join #weechat (or #weechat-de) on libera and to give weechat version ;-)

[Rosika2]

Hi @weechatter, 👋

thanks for your reply.
Alas /set irc.server.libera.ssl_verify off didn´t change anything.
I still get the error message:

gnutls: der Hostname im Zertifikat "libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion" stimmt NICHT überein

(hostname in certificate [...] doesn´t match

It´s the only error I get but it seems to be the crucial point.

Thanks anyway for your help, Nils.

Its better to /join #weechat (or #weechat-de) on libera and to give weechat version ;-)
Also: thanks for the hint.

Many greetings
Rosika 🙂

P.S.:

weechat version is 3.5

[flashcode]

Hi @Rosika2,

Following the libera instructions here: https://libera.chat/guides/connect#accessing-liberachat-via-tls, you should connect to address "palladium.libera.chat" and map the address in /etc/tor/torrc as mentioned.
You must also setup SASL with public key authentication (not password), and connection with SSL on port 6697 is OK (I just tested).

Hope that helps.

[flashcode]

Also if you open any other issue in this repository, please keep the template and answer the questions, as important information is required, like the WeeChat version and OS you're using.

[Rosika2]

@flashcode :

Hi Sébastien, 👋

thanks a lot for your help.
I did what you suggested. But still no luck.
The error message however has changed:

irc: der Proxy konnte die Verbindung zum Server nicht aufbauen (bitte Benutzername/Passwort überprüfen und ob Server Adresse/Port für Proxy freigeschaltet ist)
i.e.:

the proxy could not connect to the server (please check username/password and whether server address/port for proxy is enabled)

I don´t know if it helps, but here´s the server part of my current irc.conf:

[server]
libera.addresses = "palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion"
libera.proxy = "tor"
libera.ipv6
libera.ssl = on
libera.ssl_cert = "%h/certs/libera.pem"
libera.ssl_password
libera.ssl_priorities
libera.ssl_dhkey_size
libera.ssl_fingerprint
libera.ssl_verify = on
libera.password
libera.capabilities
libera.sasl_mechanism = external
libera.sasl_username
libera.sasl_password
libera.sasl_key
libera.sasl_timeout
libera.sasl_fail
libera.autoconnect
libera.autoreconnect
libera.autoreconnect_delay
libera.nicks
libera.nicks_alternate
libera.username
libera.realname
libera.local_hostname
libera.usermode
libera.command
libera.command_delay
libera.autojoin
libera.autojoin_dynamic
libera.autorejoin
libera.autorejoin_delay
libera.connection_timeout
libera.anti_flood_prio_high
libera.anti_flood_prio_low
libera.away_check
libera.away_check_max_nicks
libera.msg_kick
libera.msg_part
libera.msg_quit
libera.notify
libera.split_msg_max_length
libera.charset_message
libera.default_chantypes

I guess something´s not right there... 🤔

Thanks again and many greetings
Rosika 🙂

[flashcode]

The value of irc.server.libera.addresses must be: "palladium.libera.chat" (no onion address after).

[Rosika2]

Thanks, Sébastien, again.

Alas the same error persists after doing the relevant change.
My irc.conf (server part) now looks like this:

[server]
libera.addresses = "palladium.libera.chat"
libera.proxy = "tor"
libera.ipv6
libera.ssl = on
libera.ssl_cert
libera.ssl_password
libera.ssl_priorities
libera.ssl_dhkey_size
libera.ssl_fingerprint
libera.ssl_verify = off
libera.password
libera.capabilities
libera.sasl_mechanism = external
libera.sasl_username
libera.sasl_password
libera.sasl_key = "%h/certs/libera.pem"
libera.sasl_timeout
libera.sasl_fail
libera.autoconnect
libera.autoreconnect
libera.autoreconnect_delay
libera.nicks = "rosika"
libera.nicks_alternate
libera.username
libera.realname
libera.local_hostname
libera.usermode
libera.command
libera.command_delay
libera.autojoin
libera.autojoin_dynamic
libera.autorejoin
libera.autorejoin_delay
libera.connection_timeout
libera.anti_flood_prio_high
libera.anti_flood_prio_low
libera.away_check
libera.away_check_max_nicks
libera.msg_kick
libera.msg_part
libera.msg_quit
libera.notify
libera.split_msg_max_length
libera.charset_message
libera.default_chantypes

[flashcode]

Sorry if SSL is on, the address must be: "palladium.libera.chat/6697".

[flashcode]

Feel free to join #weechat on libera for further help, you'll get much faster help than by github issues.

[Rosika2]

Thanks, Sébastien, for your help.

Alas palladium.libera.chat/6697 hasn´t changed the outcome again. Still the same error.

Surely I´m doing something wrong here, although I cannot see what it might be.

Feel free to join #weechat on libera for further help

Thanks for the suggestion. But using weechat for connecting to the weechat chat-room without having succeeded in torifying weechat first would expose my IP address, I think.
That´s what I want to avoid and therefore my thread here. 😊

Still: thanks for putting so much time and effort in helping me. It´s much appreciated.

Many greetings from Rosika 🙂

[flashcode]

I just tested it works fine for me, no error on the hostname when connecting to "palladium.libera.chat" on port 6697 (with TLS) via tor proxy.

Can you please show the complete output of connection to the server?

[Rosika2]

@flashcode :
Hi Sébastien,

Here´s what weechat says, but it´s in German. I don´t know if it helps.

WeeChat 3.5 [kompiliert am Mar 31 2022 11:36:01]
         │17:58:33 weechat     | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
         │17:58:33 weechat     | Installierte Erweiterungen: alias, buflist, charset, exec, fifo, fset, irc, logger, perl, python, relay, ruby,
         │                     | script, spell, trigger, typing, xfer
         │17:59:15 weechat     | 
         │17:59:15 weechat     | Alle Server:
         │17:59:15 weechat     |    libera
         │17:59:23  libera === | ========== Ende des Verlaufspeichers (20 Zeilen) ==========
         │17:59:23  libera  -- | irc: verbinden zum Server palladium.libera.chat/6697 (SSL) via socks5 Proxy 127.0.0.1/9050...
         │17:59:24  libera  -- | gnutls: empfange 2 Zertifikate
         │17:59:24  libera  -- |  - Zertifikat[1]-Information:
         │17:59:24  libera  -- |    - subject `CN=palladium.libera.chat', issuer `CN=R3,O=Let's Encrypt,C=US', serial
         │                     | 0x04ebf31f6d384b0d58712c17893c62cf8542, RSA key 4096 bits, signed using RSA-SHA256, activated `2023-05-19
         │                     | 23:47:40 UTC', expires `2023-08-17 23:47:39 UTC', pin-sha256="ATPuNYCwu3xhjVadG5hpFPN469N6P2GPyJ+qNM/dHmI="
         │17:59:24  libera  -- |  - Zertifikat[2]-Information:
         │17:59:24  libera  -- |    - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
         │                     | serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04
         │                     | 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
         │17:59:24  libera  -- | gnutls: Peer-Zertifikat ist vertrauenswürdig
         │17:59:24  libera  -- | irc: Verbindung zu palladium.libera.chat/6697 (127.0.0.1) hergestellt
         │17:59:25  libera  -- | palladium.libera.chat: *** Ident disabled, not checking ident
         │17:59:25  libera  -- | palladium.libera.chat: *** Looking up your hostname...
         │17:59:25  libera  -- | palladium.libera.chat: *** Couldn't look up your hostname
         │17:59:25  libera  -- | irc: Clientfähigkeiten, Server unterstützt: account-notify away-notify chghost extended-join multi-prefix
         │                     | sasl=PLAIN,ECDSA-NIST256P-CHALLENGE,EXTERNAL tls account-tag cap-notify echo-message server-time
         │                     | solanum.chat/identify-msg solanum.chat/oper solanum.chat/realhost
         │17:59:25  libera  -- | irc: Clientfähigkeit, Anfrage: account-notify away-notify chghost extended-join multi-prefix sasl cap-notify
         │                     | server-time
         │17:59:25  libera  -- | irc: Clientfähigkeit, aktiviert: account-notify away-notify chghost extended-join multi-prefix sasl cap-notify
         │                     | server-time
         │17:59:26  libera  -- | SASL authentication failed
         │17:59:26  libera  -- | irc: vom Server getrennt
         │17:59:26  libera  -- | irc: Verbinde erneut zum Server in 10 Sekunden

Thanks a lot.
Many greetings from Rosika 🙂

[flashcode]

Yes it helps!

So now there are no more issues with the hostname, but the SASL authentication failed.
You have put libera.pem in ~/.weechat/certs, are you sure this directory is used as WeeChat home?
By default XDG directories are used, you can check in WeeChat with: /debug dirs.

Anyway you have to check SASL settings and your nick in Libera are properly configured.

[Rosika2]

@flashcode :

Thanks, Sébastien. 👋

So now there are no more issues with the hostname

That´d be great. But what´s this entry then:

         │17:59:25  libera  -- | palladium.libera.chat: *** Looking up your hostname...
         │17:59:25  libera  -- | palladium.libera.chat: *** Couldn't look up your hostname

Is it just of informative value?

You have put libera.pem in ~/.weechat/certs, are you sure this directory is used as WeeChat home?

Hmm, should I have done anything wrong? That´s possible, of course.

Well, here´s my /debug dirs output:

│15:39:22 | Verzeichnisse:
         │15:39:22 |   home:
         │15:39:22 |     config: /home/rosika/.config/weechat
         │15:39:22 |     data: /home/rosika/.local/share/weechat
         │15:39:22 |     cache: /home/rosika/.cache/weechat
         │15:39:22 |     runtime: /run/user/1000/weechat
         │15:39:22 |   lib: /usr/lib/x86_64-linux-gnu/weechat
         │15:39:22 |   lib (extra): -
         │15:39:22 |   share: /usr/share/weechat
         │15:39:22 |   locale: /usr/share/locale

Perhaps I should have a completely fresh go.

Thanks a lot and many greetings
Rosika 🙂

[flashcode]

Yes the message Couldn't look up your hostname can be safely ignored, the connection to the server is OK.

And according to the paths, yes, you've put the certificate in the wrong path.
You should put the file libera.pem in /home/rosika/.config/weechat/certs and do (with WeeChat ≥ v4.0.0):

/set irc.server.libera.tls_cert "${weechat_config_dir}/certs/libera.pem"

(with WeeChat ≤ 3.8, the option was called .ssl_cert)

[Rosika2]

Thanks, Sébastien, 👋

I almost feared I put the certificate in the wrong place.

Now I transferred it to /home/rosika/.config/weechat/certs. That´s where libera.pem is residing now.

(with WeeChat ≤ 3.8, the option was called .ssl_cert)

My weechat version is 3.5, so I´d need the old version of the command.
Yes I´m not quite sure about the correct syntax.
How exactly would I modify the command

/set irc.server.libera.tls_cert "${weechat_config_dir}/certs/libera.pem" ?

Thanks so much.
Cheers from Rosika 🙂

[flashcode]

With version 3.5:

/set irc.server.libera.ssl_cert "${weechat_config_dir}/certs/libera.pem"

[Rosika2]

Hi Sébastien, 👋

I see. Thanks for providing the correct command to me.
So I did everything you suggested.

Still it doesn´t work.

│14:25:30  libera  -- | irc: Neu verbinden zum Server...
         │14:25:30  libera  -- | irc: verbinden zum Server palladium.libera.chat/6697 (SSL) via socks5 Proxy 127.0.0.1/9050...
         │14:25:31  libera  -- | gnutls: sende ein Zertifikat
         │14:25:31  libera  -- |  - Clientzertifikats-Information (/home/rosika/.config/weechat/certs/libera.pem):
         │14:25:31  libera  -- |   - subject 
[...}
         │14:25:31  libera  -- | gnutls: empfange 2 Zertifikate
         │14:25:31  libera  -- |  - Zertifikat[1]-Information:
         │14:25:31  libera  -- |    - subject `CN=palladium.libera.chat', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04ebf31f6d384b0d58712c17893c62cf8542,
         │                     | RSA key 4096 bits, signed using RSA-SHA256, activated `2023-05-19 23:47:40 UTC', expires `2023-08-17 23:47:39 UTC',
         │                     | pin-sha256="ATPuNYCwu3xhjVadG5hpFPN469N6P2GPyJ+qNM/dHmI="
         │14:25:31  libera  -- |  - Zertifikat[2]-Information:
         │14:25:31  libera  -- |    - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial
         │                     | 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC',
         │                     | expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
         │14:25:31  libera  -- | gnutls: Peer-Zertifikat ist vertrauenswürdig
         │14:25:31  libera  -- | irc: Verbindung zu palladium.libera.chat/6697 (127.0.0.1) hergestellt
         │14:25:31  libera  -- | palladium.libera.chat: *** Ident disabled, not checking ident
         │14:25:31  libera  -- | palladium.libera.chat: *** Looking up your hostname...
         │14:25:31  libera  -- | palladium.libera.chat: *** Couldn't look up your hostname
         │14:25:31  libera  -- | irc: Clientfähigkeiten, Server unterstützt: account-notify away-notify chghost extended-join multi-prefix
         │                     | sasl=PLAIN,ECDSA-NIST256P-CHALLENGE,EXTERNAL tls account-tag cap-notify echo-message server-time solanum.chat/identify-msg
         │                     | solanum.chat/oper solanum.chat/realhost
         │14:25:31  libera  -- | irc: Clientfähigkeit, Anfrage: account-notify away-notify chghost extended-join multi-prefix sasl cap-notify server-time
         │14:25:31  libera  -- | irc: Clientfähigkeit, aktiviert: account-notify away-notify chghost extended-join multi-prefix sasl cap-notify server-time
         │14:25:32  libera  -- | SASL authentication failed
         │14:25:32  libera  -- | irc: vom Server getrennt

So there´s still "SASL authentication failed", like you already suggested:

Anyway you have to check SASL settings and your nick in Libera are properly configured.

Hmm, I have to investigate how to tackle the task. 🤔

Thanks a lot for your help.

Many greetings from Rosika 🙂

[flashcode]

Then I think you should ask for help to the Libera staff, maybe an issue with your nick settings on the network.

[Rosika2]

Thanks for the suggestion, Sébastien.

I´ll look into it.

Cheers from Rosika 🙂

[flashcode]

I close this issue, please comment if ever you think it's a WeeChat issue.