How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks

This is especially helpful if you run your own servers.  If you are presented with an error message or warning that the signature has changed or does not match the IP/domain you are connecting to you always want to verify manually.

So your e-mail/web client will show you an SHA-1 fingerprint like this:

"Could not verify this certificate because the issuer is unkown" or other reasons such as a mismatch in IP/domain.

It will also show you the "SHA1 fingerprint".   Copy this and compare below with the results of your actual server certificate.

How to verify it against the actual certificate on your server?:

openssl x509 -fingerprint -in /pathto/your-certificate.crt -noout

SHA1 Fingerprint=CD:32:57:8A:66:18:71:87:81:B8:A5:F6:2E:52:3D:15:C5:A9:41:06

How to manually fetch the SHA1 certificate straight from the server to compare?

openssl s_client -showcerts -connect yourdomain.com:port 2>/dev/null|openssl x509 -fingerprint -noout

Automated Bash Script

#!/bin/bash

#change servercertpath to your certificate

servercertpath=/etc/ssl/key.crt

#remote host

#change remote host/ip and port number as necessary

remotehost="realtechtalk.com:443"

localfingerprint=`openssl x509 -fingerprint -in $servercertpath -noout`

#the echo -e \n prints a newline to the SSL client this is necessary or it will never exit so the script will halt and not complete

remotefingerprint=`echo -e "\n"|openssl s_client -showcerts -connect $remotehost 2>/dev/null|openssl x509 -fingerprint -noout`

if [ "$localfingerprint" == "$remotefingerprint" ]; then

echo "OK - Certs match: local=$localfingerprint remote=$remotefingerprint"

else

echo "BAD - Certs don't match could be man in the middle!: local=$localfingerprint remote=$remotefingerprint"

fi

 

Conclusion

This is an important and good way to verify that you are actually talking to who you think you are and that there is no direct interception or Middleman attack.


Tags:

verify, ssl, sha, certificate, fingerprnit, server, hijacking, attacksthis, servers, presented, ip, domain, connecting, manually, fingerprint, quot, issuer, unkown, mismatch, openssl, pathto, crt, noout, fetch, s_client, showcerts, yourdomain, dev, null, automated, bash, bin, servercertpath, etc, remotehost, realtechtalk, localfingerprint, echo, newline, halt, remotefingerprint, ok, certs, fi, interception, middleman,

Latest Articles

  • Linux named / bind how to dump, view and clear the cache!
  • Centos 6 / 7 / 8 How To Change Default nameservers in /etc/resolv.conf when using DHCP / dhclient
  • Adobe Acrobat Reader for Linux to use and view XFA Fillable Forms
  • Debian Linux Mint Ubuntu iptables save and restore settings automatically onboot and reboot
  • Why SMART is not smart at all and doesn't properly predict disk errors that cause a kernel panic or crash
  • scp: ambiguous target error and solution
  • VirtualBox How To Add iSCSI Storage using VBoxManage
  • iSCSI on Centos 7 Configuration and Setup Guide for Initiator and Target
  • Python and BeautifulSoup4's BS4's Decompose Method To Remove Unwanted Inner Tags
  • httpd AH00534: httpd: Configuration error: No MPM loaded. solution
  • bash script to remove modules from httpd.conf that are not actually installed
  • bash scripting how to create a function
  • Centos 7 PHP MySQL Not Working Solution
  • Bash How To Cut or Split Natively And Get The LAST Field
  • Bash Script How To Manipulate Text/Strings By Searchig and Replacing Natively
  • How Does Cisco CUCM (Cisco Unified Communication Manager) Work?
  • What DNS Options Does Active Directory Offer in Windows Server 2008,2012,2016 ?
  • syntax error, unexpected T_SL in PHP Solution
  • grep regular expression match number range between specific numbers
  • bash how to print out lines of text within a range from the first occurrence