How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks -

How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks

This is especially helpful if you run your own servers.  If you are presented with an error message or warning that the signature has changed or does not match the IP/domain you are connecting to you always want to verify manually.

So your e-mail/web client will show you an SHA-1 fingerprint like this:

"Could not verify this certificate because the issuer is unkown" or other reasons such as a mismatch in IP/domain.

It will also show you the "SHA1 fingerprint".   Copy this and compare below with the results of your actual server certificate.

How to verify it against the actual certificate on your server?:

openssl x509 -fingerprint -in /pathto/your-certificate.crt -noout

SHA1 Fingerprint=CD:32:57:8A:66:18:71:87:81:B8:A5:F6:2E:52:3D:15:C5:A9:41:06

How to manually fetch the SHA1 certificate straight from the server to compare?

openssl s_client -showcerts -connect yourdomain.com:port 2>/dev/null|openssl x509 -fingerprint -noout

Conclusion

This is an important and good way to verify that you are actually talking to who you think you are and that there is no direct interception or Middleman attack.


  • bash Linux how to get first or last letters of a word
  • l2tp ipsec VPN Error Sep 12 18:16:25 vps pluto[7299]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.5.6.2 port 20640, complainant 192.5.6.2: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated
  • Centos 5.9 Working Vault Repo file
  • Disable SSH Password Authentication to Increase Security and Harden SSH Linux Unix Server Ubuntu Mint Centos Debian
  • ecryptfs how to mount or recover from a backup
  • Linux bash script to see what connected computers respond to ping
  • rsync specify alternate port non-standard port than 22
  • Centos 6.6/6.9 KVM VM Kernel Panic On Boot - Kernel panic - not syncing: Attempted to kill init!
  • Cannot allocate TUN/TAP dev dynamically - FreeBSD/OpenBSD OpenVPN Client error Solution
  • Linux Mint/Ubuntu/Debian apt how to downgrade a package
  • Ubuntu Linux Mint How To Exclude Stop Package from being Upgraded or Installed
  • Intel NUC Lower Power Green Computing Boxes Review/Comparison of J3160 and J3455 Models
  • How to backup entire computer Linux Mint Ubuntu with tar
  • tar how to ignore failed reads and not exit
  • kdenlive titles/text renders as white screen when using .sh script
  • [1035724.274610] [drm:intel_pipe_update_end [i915_bpo]] *ERROR* Atomic update failure on pipe A (start=62076478 end=62076479) time 102 us, min 894, max 899, scanline start 893, end 900 W: Possible missing firmware /lib/firmware/i915/kbl_dmc_ver1.bin
  • ffmpeg how to watermark and concatenate in one command
  • /usr/bin/ld: cannot find -lboost_system-mt-s /usr/bin/ld: cannot find -lboost_filesystem-mt-s /usr/bin/ld: cannot find -lboost_program_options-mt-s /usr/bin/ld: cannot find -lboost_thread-mt-s collect2: error: ld returned 1 exit status make: *** [cag
  • Wine uninstalled broken on Linux Mint
  • ffmpeg trouble concatenating similar but different files