Skip to content

Using SSL with WeeChat

Jump to bottom Edit New page
oakkitten edited this page Sep 27, 2020 · 7 revisions

You can use TLS to securely connect to WeeChat directly, or you connect through your web server using WebSockets. In both cases the TLS part of the connection is configruted in a similar way.

Usually you will want to obtain a certificate through Let's Encrypt or another provider. This will get you a certificate that is trusted by your Android. This is out of scope of this tutorial. You can also generate a certificate yourself.

Generating a self-signed certificate

While Weechat-Android allows using self-signed certificates (or certificates with untrusted root), these certificates should otherwise be valid. Note that modern Android does not support validating hostnames through Common Name (CN); Subject Alternative Name (SAN) must be used instead.

  • If you want to make a self-signed certificate for a domain name, such as example.com, that is valid for a year, you can run the following:

    export HOSTNAME=example.org
openssl req -x509 -nodes -newkey rsa:2048 -keyout relay.pem -extensions san_env \
    -subj "/O=WeeChat/CN=$HOSTNAME" \
    -config <(cat /etc/ssl/openssl.cnf <(printf "\n[ san_env ]\nsubjectAltName=DNS:\${ENV::HOSTNAME}")) \
    -days 365 -out relay.pem
    Portable version

    This version does not require bash's <() construct:

    export HOSTNAME=example.org
tempfile="$(mktemp)"
cat /etc/ssl/openssl.cnf > "${tempfile}"
printf '%b' "\\n[ san_env ]\\nsubjectAltName=DNS:\${ENV::HOSTNAME}" >> "${tempfile}"
/usr/bin/openssl req -x509 -nodes -newkey rsa:2048 -keyout relay.pem -extensions san_env \
    -subj "/O=weechat/CN=${HOSTNAME}" \
    -config "${tempfile}" \
    -days 365 -out relay.pem
    rm "${tempfile}"

  • If you set the connection host to a plain IP address, such as 192.168.1.2, run the following:

    export IP=192.168.1.2
openssl req -x509 -nodes -newkey rsa:2048 -keyout relay.pem \
    -subj "/O=weechat/CN=my-weechat" \
    -config <(cat /etc/ssl/openssl.cnf <(printf "\n[v3_ca]\nsubjectAltName = @alternate_names\n[alternate_names]\nIP.1 = \${ENV::IP}")) \
    -days 365 -out relay.pem

Installing certificate

Put the resulting relay.pem into ~/.weechat/ssl/. If you obtained the certificate from a provider, you may want to put the certificate chain and your private key together:

mkdir -p ~/.weechat/ssl
cat /etc/letsencrypt/live/example.com/{fullchain,privkey}.pem > ~/.weechat/ssl/relay.pem

In WeeChat, set a password for your relay (consider using the secure module!), verify that the certificate has been set, and start listening for incoming SSL connections:

/set relay.network.password your_strong_password_here
/relay sslcertkey
/relay add ssl.weechat 9001

Configuring client

Set your connection type to WeeChat SSL or WebSocket SSL and set the port the one configured for ssl.weechat.

If your server is using a self-signed certificate, Weechat-Android will ask you if you trust that certificate upon seeing it for the first time. You can also get the app to ask the same about certificates obtained from a provider by ticking the “Require certificate pins” option. You can accept/pin any certificate in the certificate chain; the pinned certificate will be trusted until it expires, and any certificates that are signed by it will also be trusted.

In addition, you can also use a client certificate to authenticate yourself.

Add a custom footer
Add a custom sidebar
Clone this wiki locally