Raunchy Taco runs its own certificate authority used to manage TLS certificates for each IRC server in the network. All IRC servers' certificates on ports 6697/tcp and 9999/tcp are signed by the Raunchy Taco IRC Network Intermediate CA G1. The Raunchy Taco IRC Network Intermediate CA G1 is exclusively signed by the Rauncy Taco IRC Network Root CA, which is the only CA you should trust when connecting to the Raunchy Taco IRC network.
A common certificate chain will look like this, where 0
is the IRC Server,
signed by the intermediate CA, and 1
is the intermediate CA signed by the Root CA.
Certificate chain
0 s:/C=US/ST=PA/L=Philadelphia/O=Raunchy Taco IRC
Network/OU=http://raunchytaco.com/CN=tuetano.raunchytaco.com/emailAddress=ca@raunchytaco.com
i:/C=US/ST=PA/O=Raunchy Taco IRC Network/OU=http://raunchytaco.com/CN=Raunchy Taco IRC Intermediate CA
G1/emailAddress=ca@raunchytaco.com
1 s:/C=US/ST=PA/O=Raunchy Taco IRC Network/OU=http://raunchytaco.com/CN=Raunchy Taco IRC Intermediate CA
G1/emailAddress=ca@raunchytaco.com
i:/C=US/ST=PA/L=Philadelphia/O=Raunchy Taco IRC Network/OU=http://raunchytaco.com/CN=Raunchy Taco IRC Network Root
CA/emailAddress=ca@raunchytaco.com
All certificates are using at least 4096 bit RSA keys, for your paranoid Percys out there. All certificates are also signed using at least SHA256 message digest. All server and intermediate certificas support Certificate Revocation Lists, while all server certificates also support OCSP.
Before importing our CA you should verify your trust in it. Only then you can properly verify a servers identity and therefore ensure you will not be victim to a MITM-Attack.
There are, as always, several grades of verification and you should decide, depending on your attacker model, which you want and/or need. Unfortunately, bootstrapping trust can be quite tricky.
Verify the serial SHA256 fingerprint given on this website against the certificate you downloaded.
If however someone is able to compromise or imitate this website, they will also be able to change the fingerprint presented here.
Raunchy Taco IRC Network Root CA (Right click & save to disk)
SHA256
06:91:E4:B0:CC:41:E4:32:1C:E7:76:5B:AB:D4:30:03:A4:25:93:B9:64:23:12:EF:22:F3:9E:14:C5:B2:3C:E1
SHA512
5B:22:21:53:2D:B6:CE:00:F8:B9:58:F1:12:AB:85:F0:8F:88:26:F2:97:01:36:B9:85:D3:8D:9C:3F:37:F3:C7:21:DF:E8:64:2E:49:90:26:C6:4A:9C:2C:CC:30:60:02:6F:7F:D9:33:08:85:CF:F2:36:B0:82:23:C8:04:CC:C9
To calculate the fingerprint of the certificate you downloaded, use:
openssl x509 -noout -fingerprint -sha256 -in ca.cert.crt
If it matches you should now import the certificate into the certificate truststore used by your IRC client.
The Raunchy Taco IRC Network Root CA certificate has been GPG signed by most of the irc server administrators. Hopefully, you know one of the admins or know someone who signed one of the admin's pgp keys.
You can get a combined signature file for checking all signatures at once, or use individual signatures:
To verify the authenticity of the Raunchy Taco IRC Network Root CA, download one or more signature file(s) and then use:
gpg --verify combined.asc
ca.cert.crt
Depending on your GPG Truststore this might or might not get any usable results. If one or more signatures match, you should now import the certificate into your IRC clients certificate truststore.
You should only ever verify connection to a server with the root certificate. After downloading, it is very easy to securely connect via irssi.
/server -ssl -ssl_verify -ssl_cafile /PATH/TO/ca.cert.crt irc.raunchytaco.com 6697