-
Notifications
You must be signed in to change notification settings - Fork 103
Using SSL with WeeChat
This guide will show you how to set up your relay connections to be encrypted using SSL.
First you will need a certificate for WeeChat to use. There are multiple ways to obtain a certificate:
- You could use providers that can deliver certificates trusted by your Android system by default. Some of them can deliver certificates for free, such as Let's Encrypt. Be aware you will need a domain name and a webserver running on privileged port 80 to obtain a certificate from Let's Encrypt. This topic is out of the scope of this page, please refer to other tutorials such as this one or this one.
- Otherwise, you can create a self-signed certificate. It will not be trusted by Android, but you will be able to whitelist it within Weechat-Android.
By default this file should be ~/.weechat/ssl/relay.pem
$ mkdir -p ~/.weechat/ssl
$ cd ~/.weechat/sslThere are two scenarios.
- If you set the connection host to a domain name, such as
example.org, run the following:
$ export HOSTNAME=example.org # change this to the domain name of the server running WeeChat
$ openssl req -x509 -nodes -newkey rsa:2048 -keyout relay.pem -extensions san_env \
-subj "/O=weechat/CN=$HOSTNAME" \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[ san_env ]\nsubjectAltName=DNS:\${ENV::HOSTNAME}")) \
-days 365 -out relay.pemThe above version will only work in Bash due to the use of <().
This version is portable.
export HOSTNAME=example.org # change this to the domain name of the server running WeeChat
tempfile="$(mktemp)"
cat /etc/ssl/openssl.cnf > "${tempfile}"
printf '%b' "\\n[ san_env ]\\nsubjectAltName=DNS:\${ENV::HOSTNAME}" >> "${tempfile}"
/usr/bin/openssl req -x509 -nodes -newkey rsa:2048 -keyout relay.pem -extensions san_env \
-subj "/O=weechat/CN=${HOSTNAME}" \
-config "${tempfile}" \
-days 365 -out relay.pem
rm "${tempfile}"
- If you set the connection host to a plain IP address, such as
192.168.1.2, run the following:
$ export IP=192.168.1.2 # change this to the IP of the server running WeeChat
$ openssl req -x509 -nodes -newkey rsa:2048 -keyout relay.pem \
-subj "/O=weechat/CN=my-weechat" \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[v3_ca]\nsubjectAltName = @alternate_names\n[alternate_names]\nIP.1 = \${ENV::IP}")) \
-days 365 -out relay.pemNow in WeeChat, reload the relay certificate, and verify the response:
/relay sslcertkey
relay: SSL certificate and key have been set
If you obtain the following response:
relay: warning: no SSL certificate/key found
then it means your certificate is invalid. Double-check if the file exists and is valid.
Set a password for your relay:
/set relay.network.password your_strong_password_here
Add an SSL listener for the relay plugin:
/relay add ssl.weechat 9001
Under Connection Settings... set the Connection Type to Weechat SSL. Make sure the Relay Host, Port, and Password are correct.
Upon the first connection, if your certificate is self-signed, you will be greeted with an Untrusted certificate dialog, from which you can accept (trust) it.
This means your certificate does not have a matching Subject Alternative Name, which tells the client the hostname or IP of the server that it is meant for. If you see this error, it means that you likely got the hostname or IP address wrong when generating the certificate, and it doesn't match the server that you're connecting to. This wiki used to recommend only specifying the CN (Common Name) of the server, which is a deprecated method and support has been removed from recent versions of Android.
Based on: http://dev.weechat.org/post/2012/07/27/SSL-in-Relay-plugin