{"id":507,"date":"2012-03-09T12:48:10","date_gmt":"2012-03-09T17:48:10","guid":{"rendered":"http:\/\/kamivaniea.com\/?p=507"},"modified":"2013-08-01T17:24:40","modified_gmt":"2013-08-01T21:24:40","slug":"verifying-certificate-fingerprint","status":"publish","type":"post","link":"https:\/\/kamivaniea.com\/?p=507","title":{"rendered":"Verifying certificate fingerprint"},"content":{"rendered":"

When opening pidgin on Ubuntu Linux I received the following warning dialogue with the message “Accept certificate for gmail.com?”. Clicking on “View Certificate” showed the second dialogue.<\/p>\n

\"\"<\/a><\/p>\n

So how do you verify this?<\/p>\n

To start with get the actual certificate from gmail and put it in a file<\/p>\n

> openssl s_client -connect gmail.com:443 > cert.pub<\/pre>\n
The file contents should look something like this:<\/p>\n
CONNECTED(00000003)<\/span>\r\n depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA<\/span>\r\n verify error:num=20:unable to get local issuer certificate<\/span>\r\n verify return:0<\/span>\r\n ---<\/span>\r\n Certificate chain<\/span>\r\n \u00c2\u00a00 s:\/C=US\/ST=California\/L=Mountain View\/O=Google Inc\/CN=mail.google.com<\/span>\r\n \u00c2\u00a0\u00c2\u00a0 i:\/C=ZA\/O=Thawte Consulting (Pty) Ltd.\/CN=Thawte SGC CA<\/span>\r\n \u00c2\u00a01 s:\/C=ZA\/O=Thawte Consulting (Pty) Ltd.\/CN=Thawte SGC CA<\/span>\r\n \u00c2\u00a0\u00c2\u00a0 i:\/C=US\/O=VeriSign, Inc.\/OU=Class 3 Public Primary Certification Authority<\/span>\r\n ---<\/span>\r\n Server certificate<\/span>\r\n -----BEGIN CERTIFICATE-----<\/span>\r\n MIIDIjCCAougAwIBAgIQK59+5colpiUUIEeCdTqbuTANBgkqhkiG9w0BAQUFADBM<\/span>\r\n MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg<\/span>\r\n THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x<\/span>\r\n MzA5MzAyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh<\/span>\r\n MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw<\/span>\r\n FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ<\/span>\r\n AoGBAK85FZho5JL+T0\/xu\/8NLrD+Jaq9aARnJ+psQ0ynbcvIj36B7ocmJRASVDOe<\/span>\r\n qj2bj46Ss0sB4\/lKKcMP\/ay300yXKT9pVc9wgwSvLgRudNYPFwn+niAkJOPHaJys<\/span>\r\n Eb2S5LIbCfICMrtVGy0WXzASI+JMSo3C2j\/huL\/3OrGGvvDFAgMBAAGjgecwgeQw<\/span>\r\n DAYDVR0TAQH\/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0<\/span>\r\n ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF<\/span>\r\n BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0<\/span>\r\n cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3<\/span>\r\n dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF<\/span>\r\n BQADgYEANYARzVI+hCn7wSjhIOUCj19xZVgdYnJXPOZeJWHTy60i+NiBpOf0rnzZ<\/span>\r\n wW2qkw1iB5\/yZ0eZNDNPPQJ09IHWOAgh6OKh+gVBnJzJ+fPIo+4NpddQVF4vfXm3<\/span>\r\n fgp8tuIsqK7+lNfNFjBxBKqeecPStiSnJavwSI4vw6e7UN0Pz7A=<\/span>\r\n -----END CERTIFICATE-----<\/span>\r\n subject=\/C=US\/ST=California\/L=Mountain View\/O=Google Inc\/CN=mail.google.com<\/span>\r\n issuer=\/C=ZA\/O=Thawte Consulting (Pty) Ltd.\/CN=Thawte SGC CA<\/span>\r\n ---<\/span>\r\n No client certificate CA names sent<\/span>\r\n ---<\/span>\r\n SSL handshake has read 2005 bytes and written 285 bytes<\/span>\r\n ---<\/span>\r\n New, TLSv1\/SSLv3, Cipher is ECDHE-RSA-RC4-SHA<\/span>\r\n Server public key is 1024 bit<\/span>\r\n Secure Renegotiation IS supported<\/span>\r\n Compression: NONE<\/span>\r\n Expansion: NONE<\/span>\r\n SSL-Session:<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Protocol\u00c2\u00a0 : SSLv3<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Cipher\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 : ECDHE-RSA-RC4-SHA<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Session-ID: 45F9A9FA76661A382878C54AD89EB033C1D8CABB1840F6C154B32F406EC05D75<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Session-ID-ctx: <\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Master-Key: 11FA086DFD76443E656F2C487A52B4BCF83A3F7B65C390A15FC2D876EE64E1EBF9FD1B9E8A22E5980D77CD86A11B2BE8<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Key-Arg\u00c2\u00a0\u00c2\u00a0 : None<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 PSK identity: None<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 PSK identity hint: None<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Start Time: 1331313945<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Timeout\u00c2\u00a0\u00c2\u00a0 : 7200 (sec)<\/span>\r\n \u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 Verify return code: 20 (unable to get local issuer certificate)<\/span><\/pre>\n
Then calculate the fingerprint.<\/p>\n
> openssl x509 -noout -fingerprint -in cert.pub\r\nSHA1 Fingerprint=59:29:78:A7:2A:90:61:F7:0A:D7:C4:4C:4D:44:9D:CF:25:8C:D5:34<\/pre>\n
The above fingerprint is different than the one Pidgin was warning me about. In this case I rejected the certificate, told pidgin to re-connect and on the second attempt got a valid certificate.<\/p>\n","protected":false},"excerpt":{"rendered":"
When opening pidgin on Ubuntu Linux I received the following warning dialogue with the message “Accept certificate for gmail.com?”. Clicking on “View Certificate” showed the second dialogue. So how do you verify this? To start with get the actual certificate from gmail and put it in a file > openssl s_client -connect gmail.com:443 > cert.pub […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7],"tags":[8,25],"class_list":["post-507","post","type-post","status-publish","format-standard","hentry","category-application-debug","tag-pidgin","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2u4LH-8b","_links":{"self":[{"href":"https:\/\/kamivaniea.com\/index.php?rest_route=\/wp\/v2\/posts\/507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kamivaniea.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kamivaniea.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kamivaniea.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kamivaniea.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=507"}],"version-history":[{"count":5,"href":"https:\/\/kamivaniea.com\/index.php?rest_route=\/wp\/v2\/posts\/507\/revisions"}],"predecessor-version":[{"id":625,"href":"https:\/\/kamivaniea.com\/index.php?rest_route=\/wp\/v2\/posts\/507\/revisions\/625"}],"wp:attachment":[{"href":"https:\/\/kamivaniea.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kamivaniea.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kamivaniea.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}