diff --git a/config.sample.yaml b/config.sample.yaml
index d60f4b788..f7d6c0d48 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -74,6 +74,8 @@ ircService:
       # Should the connection attempt to identify via SASL (if a server or user password is given)
       # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS.
       sasl: false
+      # Sasl authentication type. EXTERNAL or PLAIN are supported at the moment.
+      saslType: "PLAIN"
       # Whether to allow expired certs when connecting to the IRC server.
       # Usually this should be off. Default: false.
       allowExpiredCerts: false
@@ -82,7 +84,17 @@ ircService:
       #  -----BEGIN CERTIFICATE-----
       #  ...
       #  -----END CERTIFICATE-----
-
+      #
+      # Explicit key/cert to use when connecting. Optional.
+      # When setting up with https://freenode.net/kb/answer/certfp , you can copy these from the .pem file
+      #key: |
+      #  -----BEGIN PRIVATE KEY-----
+      #  ...
+      #  -----END PRIVATE KEY-----
+      #cert: |
+      #  -----BEGIN CERTIFICATE-----
+      #  ...
+      #  -----END CERTIFICATE-----
       #
       # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
       # password: 'pa$$w0rd'
diff --git a/config.schema.yml b/config.schema.yml
index 1b9a3ae86..faa99887d 100644
--- a/config.schema.yml
+++ b/config.schema.yml
@@ -145,6 +145,12 @@ properties:
                             type: "boolean"
                         sasl:
                             type: "boolean"
+                        saslType:
+                            type: "string"
+                        key:
+                            type: "string"
+                        cert:
+                            type: "string"
                         allowExpiredCerts:
                             type: "boolean"
                         password:
diff --git a/package-lock.json b/package-lock.json
index 657162bc7..74b399272 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1848,8 +1848,8 @@
       "integrity": "sha512-M4Sjn6N/+O6/IXSJseKqHoFc+5FdGJ22sXqnjTpdZweHK64MzEPAyQZyEU3R/KRv2GLoa7nNtg/C2Ev6m7z+eA=="
     },
     "irc": {
-      "version": "github:matrix-org/node-irc#7feccae6c168c2c08527daace0c6fe5af56c6560",
-      "from": "github:matrix-org/node-irc#7feccae6c168c2c08527daace0c6fe5af56c6560",
+      "version": "github:matrix-org/node-irc#e005643002aac881d157e48ea62d1a40230a54b5",
+      "from": "github:matrix-org/node-irc#e005643002aac881d157e48ea62d1a40230a54b5",
       "requires": {
         "detect-character-encoding": "^0.8.0",
         "iconv": "~2.3.4",
diff --git a/package.json b/package.json
index e4e85d139..0fd7afa70 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "extend": "^2.0.0",
     "he": "^1.1.1",
     "iconv": "^2.3.4",
-    "irc": "matrix-org/node-irc#7feccae6c168c2c08527daace0c6fe5af56c6560",
+    "irc": "matrix-org/node-irc#e005643002aac881d157e48ea62d1a40230a54b5",
     "js-yaml": "^3.2.7",
     "logform": "^2.1.2",
     "matrix-appservice": "^0.4.1",
diff --git a/src/irc/ConnectionInstance.ts b/src/irc/ConnectionInstance.ts
index 2f5185b89..dbf6ffe28 100644
--- a/src/irc/ConnectionInstance.ts
+++ b/src/irc/ConnectionInstance.ts
@@ -73,6 +73,8 @@ export interface ConnectionOpts {
     nick: string;
     secure?: {
         ca?: string;
+        key?: string;
+        cert?: string;
     };
     encodingFallback: string;
 }
@@ -382,8 +384,11 @@ export class ConnectionInstance {
             retryCount: 0,
             family: server.getIpv6Prefix() || server.getIpv6Only() ? 6 : null,
             bustRfc3484: true,
-            sasl: opts.password ? server.useSasl() : false,
-            secure: server.useSsl() ? { ca: server.getCA() } : undefined,
+            sasl: server.useSasl(),
+            saslType: server.saslType(),
+            secure: server.useSsl() ? {
+                ca: server.getCA(), key: server.getKey(), cert: server.getCert()
+            } : undefined,
             encodingFallback: opts.encodingFallback
         };
 
diff --git a/src/irc/IrcServer.ts b/src/irc/IrcServer.ts
index db3183b87..8b7db1c06 100644
--- a/src/irc/IrcServer.ts
+++ b/src/irc/IrcServer.ts
@@ -229,6 +229,14 @@ export class IrcServer {
         return this.config.ca;
     }
 
+    public getKey() {
+        return this.config.key;
+    }
+
+    public getCert() {
+        return this.config.cert;
+    }
+
     public useSsl() {
         return Boolean(this.config.ssl);
     }
@@ -241,6 +249,10 @@ export class IrcServer {
         return Boolean(this.config.sasl);
     }
 
+    public saslType() {
+        return this.config.saslType;
+    }
+
     public allowExpiredCerts() {
         return Boolean(this.config.allowExpiredCerts);
     }
@@ -633,10 +645,13 @@ export interface IrcServerConfig {
     port?: number;
     icon?: string;
     ca?: string;
+    key?: string;
+    cert?: string;
     networkId?: string;
     ssl?: boolean;
     sslselfsign?: boolean;
     sasl?: boolean;
+    saslType?: string;
     password?: string;
     allowExpiredCerts?: boolean;
     additionalAddresses?: string[];