How to configure SASL [External] on hexchat?

Well, if you are reading this post then you might have an experience of using IRC. When we use any IRC client such as hexchat, etc., then we need to identify our nick every time we log in. One thing to avoid this repetitive identification process on hexchat is to use SASL (username + password) service. But this plain SASL service ultimately needs your password. What a better approach is, rather than using a password, use a certificate to auto-identify yourself every time you log in to hexchat. Here we come across SASL [external].

So, one condition to use SASL external is to connect with SSL. For freenode ports 6697, 7000 and 7070 are available for SSL-encrypted connections.

1. Changing port to use SSL encryption

You may open your hexchat and press ctrl+s (to open Hexchat: Network List) –> select a network (say freenode) –> edit the port to 6697 (if not already available) –> also tick the following check boxes:

  • Connect to selected server only.
    • for freenode selected server should be
  • Use SSL for all the servers on this network.

2. Generate a self-signed certificate

For this, you would need openssl utility (by default should be present in your *nix systems). For windows systems consider using cygwin.

Following command generates a new self signed certificate by openssl.

$ openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem

Command help description: $ openssl req --help

  • openssl: OpenSSL command line utility.
  • req: PKCS#10 X.509 Certificate Signing Request (CSR) Management.
  • -x509: Output a x509 structure instead of a cert. req.
  • -new: New request.
  • -newkey rsa:bits: Generate a new RSA key of ‘bits’ in size.
  • -sha256:
  • -days: Number of days a certificate generated by -x509 is valid for.
  • -nodes: Don’t encrypt the output key.
  • -out arg: Output file.
  • -keyout arg: File to send the key to.

This will guide you to enter a couple of details. You may left most of them empty but openssl requires atleast one of them to be non-empty.

Above command goes as follows:

Generating a 4096 bit RSA private key
writing new private key to 'freenode.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Shiva 
Email Address []:

3. Adding the key to hexchat

The certificate freenode.pem should be placed in the directory:
If certs directory is not available then first make it, then move the certificate to it.

So, it will become ~/.config/hexchat/certs/network_name.pem

NOTE: You must name the “.pem” file as the network’s name you want to connect. For network list you may open your hexchat and press “ctrl+s” . Now name this key same as the name of the netwok you want to connect. It may be “Ubuntu Server (freenode).pem”, “moznet.pem”, et cetera.

4. Adding the certificate to NickServ

Once you placed the certificate in required directory. It’s time to add the fingerprint of this certificate to your account.

To see the fingerprint of your certificate, use the following command:

$ openssl x509 -in <path_to_.pem_file> -outform der | sha1sum -b | cut -d' ' -f1

For the detailed explanation of the command please see the help. $ openssl x509 --help

Open your hexchat –> login to your account –> give the following command:

/msg NickServ CERT ADD <fingerprint>

If the fingerprint is successfully added, then you may see it by doing whois on your nick.

5. Configure Hexchat for using SASL [external]

Now press ctrl+s –> select the network for which you generated the certificate –> edit –> change “Login method:” to “SASL EXTERNAL (cert)”.

Now restart hexchat and if everything goes well, then you would automatically log in and the following message will be notified to you:

* Authenticating via SASL as <your_nick> (EXTERNAL)
* You are now logged in as <your_nick>.
* SASL authentication successful


Now no need to identify every time you log in to your account. 🙂


Hope this post was helpful. For queries and suggestions to improve this post, please feel free to write in the comments section below.

Thanks for reading!

One thought on “How to configure SASL [External] on hexchat?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s