How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks

This is especially helpful if you run your own servers.  If you are presented with an error message or warning that the signature has changed or does not match the IP/domain you are connecting to you always want to verify manually.

So your e-mail/web client will show you an SHA-1 fingerprint like this:

"Could not verify this certificate because the issuer is unkown" or other reasons such as a mismatch in IP/domain.

It will also show you the "SHA1 fingerprint".   Copy this and compare below with the results of your actual server certificate.

How to verify it against the actual certificate on your server?:

openssl x509 -fingerprint -in /pathto/your-certificate.crt -noout

SHA1 Fingerprint=CD:32:57:8A:66:18:71:87:81:B8:A5:F6:2E:52:3D:15:C5:A9:41:06

How to manually fetch the SHA1 certificate straight from the server to compare?

openssl s_client -showcerts -connect yourdomain.com:port 2>/dev/null|openssl x509 -fingerprint -noout

Automated Bash Script

#!/bin/bash

#change servercertpath to your certificate

servercertpath=/etc/ssl/key.crt

#remote host

#change remote host/ip and port number as necessary

remotehost="realtechtalk.com:443"

localfingerprint=`openssl x509 -fingerprint -in $servercertpath -noout`

#the echo -e \n prints a newline to the SSL client this is necessary or it will never exit so the script will halt and not complete

remotefingerprint=`echo -e "\n"|openssl s_client -showcerts -connect $remotehost 2>/dev/null|openssl x509 -fingerprint -noout`

if [ "$localfingerprint" == "$remotefingerprint" ]; then

echo "OK - Certs match: local=$localfingerprint remote=$remotefingerprint"

else

echo "BAD - Certs don't match could be man in the middle!: local=$localfingerprint remote=$remotefingerprint"

fi

 

Conclusion

This is an important and good way to verify that you are actually talking to who you think you are and that there is no direct interception or Middleman attack.


Tags:

verify, ssl, sha, certificate, fingerprnit, server, hijacking, attacksthis, servers, presented, ip, domain, connecting, manually, fingerprint, quot, issuer, unkown, mismatch, openssl, pathto, crt, noout, fetch, s_client, showcerts, yourdomain, dev, null, automated, bash, bin, servercertpath, etc, remotehost, realtechtalk, localfingerprint, echo, newline, halt, remotefingerprint, ok, certs, fi, interception, middleman,

Latest Articles

  • Linux ln symlink how to update existing symbolic link
  • Ubuntu 18.04 / Linux Mint 19.1 Cannot Type or Login - solution
  • LUKS Hard Drive Encryption on Linux Mint Ubuntu Debian etc how to mount encrypted hard drive
  • How to use nmap locate other machines/computers/servers on your network using nmap
  • Linux Mint 18.2 Create Config File To Start Application Upon Login
  • Dell Wyse Thin Client BIOS Access Key
  • sudoers file in /etc warning about comments/includes!
  • Centos 7 Reallocate logical volume space to another
  • lvm how to reduce volume size
  • letsencrypt certbot error "Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80."
  • SSH error cannot Forward or Listen "bind: Cannot assign requested address"
  • X11 SSH Linux Forwarding Error
  • Using Microsoft's Group Policy Management Editor (GPME) To Change Default Permissions and Internet Explorer Security Settings
  • Thunderbird How To Disable An Email Account
  • iptables linux firewall recommended rules for public computing
  • LVM How To Create Pool (dynamically allocated and not fully allocated)
  • VMWare Pro Workstation Nic Disconnected and No IP Using NAT
  • Linux How To Create A RamDisk
  • mdadm force resync when resync=PENDING solution
  • Proxmox Breaks Storage/LVM Backing If Killing QEMU-IMG