After 2018/11/21 we will migrate to certificates signed by Letsencrypt. Certificates will then be renewed every 2-3 months, which makes certificate pinning quite uncomfortable.
All server certificates on port
6697/tcp are exclusively signed by the Hackint IRC Network Intermediate CA G1. The „Hackint IRC Network Intermediate CA G1“ in turn is signed by the Hackint IRC Network Root CA, which is the only CA you should trust when connecting to the hackint irc network.
A common certificate chain will look like this, where
0 is the IRC Server, signed by the
intermediate CA, and
1 is the intermediate CA signed by the Root CA.
Certificate chain 0 s:/C=US/O=Hackint IRC Network/CN=morgan.hackint.org i:/O=Hackint IRC Network/OU=http://www.hackint.org/CN=Hackint IRC Network Intermediate CA G1/emailAddressfirstname.lastname@example.org 1 s:/O=Hackint IRC Network/OU=http://www.hackint.org/CN=Hackint IRC Network Intermediate CA G1/emailAddressemail@example.com i:/O=Hackint IRC Network/OU=http://www.hackint.org/CN=Hackint IRC Network Root CA/emailAddressfirstname.lastname@example.org
- all certificates are using at least 4096bit RSA keys
- all certificates are signed using at least SHA256 message digest
- all server certificates support both CRL and OCSP
- OCSP Stapling and Client Support for it
Before importing our CA you should verify your trust in it. Only then you can properly verify a servers identity and therefore ensure you will not be victim to a MITM-Attack.
There are, as always, several grades of verification and you should decide, depending on your attacker model, which you want and/or need. Unfortunately, bootstrapping trust can be quite tricky.
Verify the serial SHA256 fingerprint given on this website against the certificate you downloaded.
If however someone is able to compromise or imitate this website, they will also be able to change the fingerprint presented here.
Hackint IRC Network Root CA (Right click & save to disk)
To calculate the fingerprint of the certificate you downloaded, use:
openssl x509 -noout -fingerprint -sha256 -in rootca.crt
If it matches you should now import the certificate into the certificate truststore used by your IRC client.
The Hackint IRC Network Root CA certificate has been GPG signed by most of the irc server administrators. Hopefully, you know one of the admins or know someone who signed one of the admin's pgp keys.
You can get a combined signature file for checking all signatures at once, or use individual signatures:
To verify the authenticity of the Hackint IRC Network Root CA, download one or more signature file(s) and then use:
gpg --verify combined.asc rootca.crt
Depending on your GPG Truststore this might or might not get any usable results. If one or more signatures match, you should now import the certificate into your IRC clients certificate truststore.