SASL auth required (Libera.chat)

[ghost]

Documentation for SASL authentication is needed to understand how to connect on libera.chat servers using TLS 1.3 (aka forward secrecy). In contrast webirc connections to irc.freenode.net in tcp4 mode works as expected using kiwiirc transport (tls=false).

However inbound connections to libera.chat servers result in the following error message:

Closing Link: open-neurosecurity.org (SASL authentication to a NickServ account with a verified email address is required to connect from your current network. Please see https://libera.chat/guides/sasl for configuration assistance.

$ sudo systemctl status webircgateway

webircgateway
     Loaded: loaded (/lib/systemd/system/webircgateway.service; enabled; preset: enabled)
     Active: active (running) since Sun 2023-11-05 04:23:31 EST; 20min ago
   Main PID: 1141544 (webircgateway)
      Tasks: 7 (limit: 4652)
     Memory: 2.2M
        CPU: 37ms
     CGroup: /system.slice/webircgateway.service
             └─1141544 /usr/local/sbin/webircgateway --config=/etc/webircgateway/config.conf

Nov 05 04:23:42 open-neurosecurity.org webircgateway[1141544]: 2023/11/05 04:23:42.479564 L_DEBUG client:2 signal:data :molybdenum.libera.chat NOTICE guest11 :*** Notice -- SASL authentication to a NickServ account with a verified email address is required to connect from your current network. Please see https://libera.chat/guides/sasl for configuration assistance.
Nov 05 04:23:42 open-neurosecurity.org webircgateway[1141544]: 2023/11/05 04:23:42.479716 L_DEBUG client:2 in .UpstreamRecv
Nov 05 04:23:42 open-neurosecurity.org webircgateway[1141544]: 2023/11/05 04:23:42.479722 L_DEBUG client:2 Traffic (Upstream->) ERROR :Closing Link: open-neurosecurity.org (SASL authentication to a NickServ account with a verified email address is required to connect from your current network.

[ItsOnlyBinary]

Kiwi does not support client certificate based auth, it does support SASL PLAIN though, entering password at the welcome screen should make it SASL auth on connect

[ghost]

I forgot to mention that the builtin identd server doesnt seem to work at all when using identd=true in the webirconfig config.

As a workaround you can install openbsd-inetd (or nullidentd) which provides a working and secure identd daemon. Anyways i would prefer webirc to not use sasl auth at all and use X-Forwarded-For header to identify users hostnames. In addition nginx can use a local DNS resolver to store valid DNS hostnames with dnsmasq.

[ItsOnlyBinary]

I will look into the identd thing

webircgateway does use x-forwarded-for to get the correct ip which is then passed to the ircd via WEBIRC command

SASL auth is a method in which to login to nickserv during connection it is not used to pass the correct hostname for the user

[ghost]

Thanks for your help @ItsOnlyBinary. Here is a log file for this ticket. Interestingly now getting error "Not allowed to connect to default" when i use my sasl username and password to connect on ws.libera.chat. Btw i use quic/http3 for ws connection with kiwiirc. I also disable identd in the config. Finally I assume the "kiwiirc.com" user-agent string in the ws console (chromium) is purely decorative.

I hope this helps,

smart

[ghost]

Here is a screen capture of the browser view: