How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks

This is especially helpful if you run your own servers.  If you are presented with an error message or warning that the signature has changed or does not match the IP/domain you are connecting to you always want to verify manually.

So your e-mail/web client will show you an SHA-1 fingerprint like this:

"Could not verify this certificate because the issuer is unkown" or other reasons such as a mismatch in IP/domain.

It will also show you the "SHA1 fingerprint".   Copy this and compare below with the results of your actual server certificate.

How to verify it against the actual certificate on your server?:

openssl x509 -fingerprint -in /pathto/your-certificate.crt -noout

SHA1 Fingerprint=CD:32:57:8A:66:18:71:87:81:B8:A5:F6:2E:52:3D:15:C5:A9:41:06

How to manually fetch the SHA1 certificate straight from the server to compare?

openssl s_client -showcerts -connect yourdomain.com:port 2>/dev/null|openssl x509 -fingerprint -noout

Automated Bash Script

#!/bin/bash

#change servercertpath to your certificate

servercertpath=/etc/ssl/key.crt

#remote host

#change remote host/ip and port number as necessary

remotehost="realtechtalk.com:443"

localfingerprint=`openssl x509 -fingerprint -in $servercertpath -noout`

#the echo -e \n prints a newline to the SSL client this is necessary or it will never exit so the script will halt and not complete

remotefingerprint=`echo -e "\n"|openssl s_client -showcerts -connect $remotehost 2>/dev/null|openssl x509 -fingerprint -noout`

if [ "$localfingerprint" == "$remotefingerprint" ]; then

echo "OK - Certs match: local=$localfingerprint remote=$remotefingerprint"

else

echo "BAD - Certs don't match could be man in the middle!: local=$localfingerprint remote=$remotefingerprint"

fi

 

Conclusion

This is an important and good way to verify that you are actually talking to who you think you are and that there is no direct interception or Middleman attack.


Tags:

verify, ssl, sha, certificate, fingerprnit, server, hijacking, attacksthis, servers, presented, ip, domain, connecting, manually, fingerprint, quot, issuer, unkown, mismatch, openssl, pathto, crt, noout, fetch, s_client, showcerts, yourdomain, dev, null, automated, bash, bin, servercertpath, etc, remotehost, realtechtalk, localfingerprint, echo, newline, halt, remotefingerprint, ok, certs, fi, interception, middleman,

Latest Articles

  • CentOS 8 how to restart the network!
  • CentOS 8 how to convert to a bootable mdadm RAID software array
  • ADATA USB Thumb Drive Issues
  • KMODE EXCEPTION NOT HANDLED - QEMU/KVM Won't Boot Windows 2016 or 10 Image or Physical Machine
  • Linux Mint / Ubuntu / Debian Mate Disable Guest Session and Hide Usernames on Lightdm Login screen GUI
  • SSH How To Create Public/Private Key Pair and with a Larger Keysize than 2048 bits
  • selenium.common.exceptions.WebDriverException: Message: Can not connect to the Service geckodriver
  • python ModuleNotFoundError: No module named 'bs4' even though you have the module
  • ssh how to connect using a SOCKS 5 proxy with nc and proxycommand
  • Enable AMDGPU Linux Driver
  • apache symlinks denied even with followsymlinks
  • chown how to change ownership on a symlink
  • how to use ifplugd in Linux to execute a command or script when a NIC cable is unplugged or plugged in
  • dd how to backup and restore disk images including compression with gzip
  • mpv / mplayer with Radeon / AMD GPU Video Card Driver enable VDPAU GPU Accelerated Video Decoding
  • Wordpress Reset Blog User Password from MySQL Using Linux Bash and not PHPMyadmin
  • Ubuntu Linux Mint Debian xorg performance and tear-free tuning for AMD Radeon Based Cards
  • Centos 7 Stopped and Disabled Firewalld and ports still blocked
  • MariaDB / MySQL Reset Root Forgotten Password on Centos 7
  • Centos 7 How to install Mysql/Mariadb