Verifying certificate fingerprint

March 9, 2012 by 1 Comment

When opening pidgin on Ubuntu Linux I received the following warning dialogue with the message “Accept certificate for gmail.com?”. Clicking on “View Certificate” showed the second dialogue.

So how do you verify this?

To start with get the actual certificate from gmail and put it in a file

> openssl s_client -connect gmail.com:443 > cert.pub

The file contents should look something like this:

CONNECTED(00000003)
 depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
 verify error:num=20:unable to get local issuer certificate
 verify return:0
 ---
 Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIDIjCCAougAwIBAgIQK59+5colpiUUIEeCdTqbuTANBgkqhkiG9w0BAQUFADBM
 MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
 THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
 MzA5MzAyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
 MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw
 FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
 AoGBAK85FZho5JL+T0/xu/8NLrD+Jaq9aARnJ+psQ0ynbcvIj36B7ocmJRASVDOe
 qj2bj46Ss0sB4/lKKcMP/ay300yXKT9pVc9wgwSvLgRudNYPFwn+niAkJOPHaJys
 Eb2S5LIbCfICMrtVGy0WXzASI+JMSo3C2j/huL/3OrGGvvDFAgMBAAGjgecwgeQw
 DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0
 ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF
 BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0
 cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3
 dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF
 BQADgYEANYARzVI+hCn7wSjhIOUCj19xZVgdYnJXPOZeJWHTy60i+NiBpOf0rnzZ
 wW2qkw1iB5/yZ0eZNDNPPQJ09IHWOAgh6OKh+gVBnJzJ+fPIo+4NpddQVF4vfXm3
 fgp8tuIsqK7+lNfNFjBxBKqeecPStiSnJavwSI4vw6e7UN0Pz7A=
 -----END CERTIFICATE-----
 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
 issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 2005 bytes and written 285 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : SSLv3
     Cipher    : ECDHE-RSA-RC4-SHA
     Session-ID: 45F9A9FA76661A382878C54AD89EB033C1D8CABB1840F6C154B32F406EC05D75
     Session-ID-ctx: 
     Master-Key: 11FA086DFD76443E656F2C487A52B4BCF83A3F7B65C390A15FC2D876EE64E1EBF9FD1B9E8A22E5980D77CD86A11B2BE8
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1331313945
     Timeout   : 7200 (sec)
     Verify return code: 20 (unable to get local issuer certificate)

Then calculate the fingerprint.

> openssl x509 -noout -fingerprint -in cert.pub
SHA1 Fingerprint=59:29:78:A7:2A:90:61:F7:0A:D7:C4:4C:4D:44:9D:CF:25:8C:D5:34

The above fingerprint is different than the one Pidgin was warning me about. In this case I rejected the certificate, told pidgin to re-connect and on the second attempt got a valid certificate.

Filed under Fixing computer problems Tagged with ,

One Response to Verifying certificate fingerprint

  1. Pingback: Marto

Leave a Reply

Your email address will not be published. Required fields are marked *