mikaela.github.io/blog/_posts/2015-03-26-weechat-sasl-simply.md

---
layout: post
comments: true
title: "WeeChat: easy instructions for using SASL"
category: [english]
tags: [irc, english]
redirect_from:
  - /weechat-sasl.html
  - /english/2015/03/26/weechat-sasl-simply.html
---

This seems to confuse many WeeChat users, so I will try to explain it more
simply as I am repeating myself everywhere about this same thing.

SASL is mechanism for identifying to services at IRC automatically even
before you are visible to the network.

* * * * *

First set mechanism as plain if you have it as anything else. Many people
have it as DH- something which are insecure and is removed from more modern
services packages. More about that:

* [On the security of SASL DH-BLOWFISH (at nullroute.eu.org)](https://nullroute.eu.org/~grawity/irc-sasl-dh.html)
* [Do not use or provide DH-AES or DH-BLOWFISH for SASL/IAL authentication (at kaniini.dereferenced.org)](https://kaniini.dereferenced.org/2014/12/26/do-not-use-DH-AES-or-DH-BLOWFISH.html)

```
/set irc.server_default.sasl_mechanism PLAIN
```

PLAIN is simple "login using username and password" mechanism that sends
the username and password in plaintext which isn't an issue if you also use
SSL (like you should) and trust the server (and
**use different password everywhere**).

Then simply set your username and password

```
/unset irc.server.NETWORK.sasl_mechanism
/set irc.server.NETWORK.sasl_username REGISTERED_NICKNAME
/set irc.server.NETWORK.sasl_password PASSWORD
/save
```

*Replace NETWORK with the name of network that you have in WeeChat, for
example `freenode`.*

And now after `/reconnect` you should be identified automatically using
SASL, but you might also ensure that you use SSL.

## Using SSL

Change your address to use SSL port and enable SSL for the network:

```
/set irc.server.freenode.addresses chat.freenode.net/6697
/set irc.server.freenode.ssl on
/save
```

*Note: SSL does nothing until you `/reconnect`*

*6697 is the [standard SSL port](https://tools.ietf.org/html/rfc7194).*

Freenode has valid SSL certificate, but if it didn't, you would have two
choises:

1. Trust the fingerprints manually using
   `irc.server.NETWORK.ssl_fingerprint`, see [this post].
2. Disable SSL certificate checking using
   `/set irc.server.NETWORK.ssl_verify off` **NOT RECOMMENDED**, see
   [this post].

[this post]:{% post_url blog/2015-02-24-znc160-ssl %}
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00			`---`
			`layout: post`
			`comments: true`
			`title: "WeeChat: easy instructions for using SASL"`
			`category: [english]`
			`tags: [irc, english]`
Redirect old articles to new address 2018-11-25 23:51:24 +01:00			`redirect_from:`
			`- /weechat-sasl.html`
			`- /english/2015/03/26/weechat-sasl-simply.html`
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00			`---`

			`This seems to confuse many WeeChat users, so I will try to explain it more`
			`simply as I am repeating myself everywhere about this same thing.`

			`SASL is mechanism for identifying to services at IRC automatically even`
			`before you are visible to the network.`

			`* * * * *`

			`First set mechanism as plain if you have it as anything else. Many people`
			`have it as DH- something which are insecure and is removed from more modern`
			`services packages. More about that:`

weechat-sasl-simply: fix links I say "(at domain.tld)" to make sure people understand without clicking that those are not my articles. Closes #90 2016-11-01 15:48:43 +01:00			`* [On the security of SASL DH-BLOWFISH (at nullroute.eu.org)](https://nullroute.eu.org/~grawity/irc-sasl-dh.html)`
https:ify links in blog This breaks some links which can be fixed later if they don't fix themselves. Closes #123 2019-01-20 16:42:51 +01:00			`* [Do not use or provide DH-AES or DH-BLOWFISH for SASL/IAL authentication (at kaniini.dereferenced.org)](https://kaniini.dereferenced.org/2014/12/26/do-not-use-DH-AES-or-DH-BLOWFISH.html)`
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00
			```
			`/set irc.server_default.sasl_mechanism PLAIN`
			```

			`PLAIN is simple "login using username and password" mechanism that sends`
			`the username and password in plaintext which isn't an issue if you also use`
weechat-sasl: trust server & USE DIFFERENT PASSWORD Closes #91 2016-11-01 15:52:01 +01:00			`SSL (like you should) and trust the server (and`
			`use different password everywhere).`
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00
			`Then simply set your username and password`

			```
blog: WeeChat SASL simply: various fixes * unset network-specific SASL mechanism so the global PLAIN is used * /save after SASL settings * Note that SSL does nothing until reconnect 2015-06-09 14:22:51 +02:00			`/unset irc.server.NETWORK.sasl_mechanism`
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00			`/set irc.server.NETWORK.sasl_username REGISTERED_NICKNAME`
			`/set irc.server.NETWORK.sasl_password PASSWORD`
blog: WeeChat SASL simply: various fixes * unset network-specific SASL mechanism so the global PLAIN is used * /save after SASL settings * Note that SSL does nothing until reconnect 2015-06-09 14:22:51 +02:00			`/save`
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00			```

			`*Replace NETWORK with the name of network that you have in WeeChat, for`
			example `freenode`.*

			And now after `/reconnect` you should be identified automatically using
			`SASL, but you might also ensure that you use SSL.`

			`## Using SSL`

			`Change your address to use SSL port and enable SSL for the network:`

			```
			`/set irc.server.freenode.addresses chat.freenode.net/6697`
			`/set irc.server.freenode.ssl on`
blog: WeeChat SASL simply: various fixes * unset network-specific SASL mechanism so the global PLAIN is used * /save after SASL settings * Note that SSL does nothing until reconnect 2015-06-09 14:22:51 +02:00			`/save`
blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00			```

blog: WeeChat SASL simply: various fixes * unset network-specific SASL mechanism so the global PLAIN is used * /save after SASL settings * Note that SSL does nothing until reconnect 2015-06-09 14:22:51 +02:00			Note: SSL does nothing until you `/reconnect`

blog: WeeChat SASL Closes #47 2015-03-26 08:05:15 +01:00			`6697 is the [standard SSL port](https://tools.ietf.org/html/rfc7194).`

			`Freenode has valid SSL certificate, but if it didn't, you would have two`
			`choises:`

			`1. Trust the fingerprints manually using`
			`irc.server.NETWORK.ssl_fingerprint`, see [this post].
			`2. Disable SSL certificate checking using`
			`/set irc.server.NETWORK.ssl_verify off` NOT RECOMMENDED, see
			`[this post].`

Begin fixing Jekyll deprecation warning Ref: #117 2019-07-13 21:47:15 +02:00			`[this post]:{% post_url blog/2015-02-24-znc160-ssl %}`