How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks -

How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks

This is especially helpful if you run your own servers.  If you are presented with an error message or warning that the signature has changed or does not match the IP/domain you are connecting to you always want to verify manually.

So your e-mail/web client will show you an SHA-1 fingerprint like this:

"Could not verify this certificate because the issuer is unkown" or other reasons such as a mismatch in IP/domain.

It will also show you the "SHA1 fingerprint".   Copy this and compare below with the results of your actual server certificate.

How to verify it against the actual certificate on your server?:

openssl x509 -fingerprint -in /pathto/your-certificate.crt -noout

SHA1 Fingerprint=CD:32:57:8A:66:18:71:87:81:B8:A5:F6:2E:52:3D:15:C5:A9:41:06

How to manually fetch the SHA1 certificate straight from the server to compare?

openssl s_client -showcerts -connect yourdomain.com:port 2>/dev/null|openssl x509 -fingerprint -noout

Automated Bash Script

#!/bin/bash

#change servercertpath to your certificate

servercertpath=/etc/ssl/key.crt

#remote host

#change remote host/ip and port number as necessary

remotehost="realtechtalk.com:443"

localfingerprint=`openssl x509 -fingerprint -in $servercertpath -noout`

#the echo -e \n prints a newline to the SSL client this is necessary or it will never exit so the script will halt and not complete

remotefingerprint=`echo -e "\n"|openssl s_client -showcerts -connect $remotehost 2>/dev/null|openssl x509 -fingerprint -noout`

if [ "$localfingerprint" == "$remotefingerprint" ]; then

echo "OK - Certs match: local=$localfingerprint remote=$remotefingerprint"

else

echo "BAD - Certs don't match could be man in the middle!: local=$localfingerprint remote=$remotefingerprint"

fi

 

Conclusion

This is an important and good way to verify that you are actually talking to who you think you are and that there is no direct interception or Middleman attack.


  • Prevent SSH Bruteforce and Hacks By Disabling Password Authentication
  • SMF Forums / Simple Machines Forums Not Displaying Images Theme or Styles Properly using 127.0.0.1
  • solution mysqldump: Got error: 1044: Access denied for user 'user'@'localhost' to database 'thedb' when using LOCK TABLES
  • MySQL How To Grant Access To ALL Databases For Export and Backup Purposes
  • mdadm how to stop or start a check
  • vzquota : (error) Quota on syscall for id 4532: No such file or directory vzquota on failed [3] OpenVZ Error and Solution
  • Apache htaccess Custom ErrorDocument not working properly for root home page 403 Error Issue and Solution
  • syslinux / pxelinux how to boot from local drive how to
  • samba how to listen on specific IP only
  • How To Install Windows Server 7 8 10 12 2008 2012 2014 2016 Servers Desktops using Linux tftp, dhcpd and samba
  • error: Could not locate RPC credentials. No authentication cookie could be found, and no rpcpassword is set in the configuration file Bitcoin Litecoin Error
  • OpenVZ Solutions vzquota : (error) Can't open quota file for id 123123, maybe you need to reinitialize quota: No such file or directory
  • curl: (35) Unknown SSL protocol error in connection Solution Centos
  • sudo: unable to resolve host
  • "Object of class WP_Term could not be converted to string"
  • Wordpress Instagram Post Modify Plugin To Add Tags
  • Linux input/output error invalid program cannot read data on some CD-Rs and DVD-Rs on ASUS BW-16D1HT
  • Installing SSL Certificate with Chain Intermediary CA File
  • PHP Warning: Cannot load module 'XCache' because conflicting module 'apc' is already loaded in Unknown on line 0
  • Unable to load dynamic library '/usr/lib64/php/modules/module.so' - /usr/lib64/php/modules/module.so: cannot open shared object file: No such file or directory in Unknown on line 0