New options have been added to check SSL certificates when connecting to IRC servers, thanks to kolter's patch:

• weechat.network.gnutls_ca_file: path to file with certificate authorities (by default: "%h/ssl/CAs.pem")
• irc.server.xxx.ssl_cert: ssl certificate file used to automatically identify your nick (CertFP on oftc for example, see below)
• irc.server.xxx.ssl_dhkey_size: replaces old option weechat.network.gnutls_dh_prime_bitsmax_lines, new default value is 2048 (safer than old default value which was 512)
• irc.server.xxx.ssl_verify: check that the ssl connection is fully trusted (on by default)

Please note that ssl_verify is on by default, so verification is now stricter, and may fail even if it was ok with previous versions of WeeChat.

First example: connect to oftc and check certificate:

• import certificate:
  • mkdir ~/.weechat/ssl
  • wget -O ~/.weechat/ssl/CAs.pem http://www.spi-inc.org/ca/spi-cacert.crt
• in weechat:
  • /connect oftc

Note: it is possible to concatenate many CAs in file CAs.pem.

Second example: connect to oftc using CertFP (certificate to auto identify your nick):

• create certificate:
  • openssl req -nodes -newkey rsa:2048 -keyout nick.key -x509 -days 365 -out nick.cer
  • cat nick.cer nick.key > ~/.weechat/ssl/nick.pem
• in weechat:
  • /set irc.server.oftc.ssl_cert "%h/ssl/nick.pem"
  • /connect oftc
  • /msg nickserv cert add

For more information, please look at https://www.oftc.net/NickServ/CertFP.