Question

35

How to verify the SSL fingerprint by command line? (wget, curl, ...)

rated 0 times [ 35] [ 0] / answers: 1 / hits: 116012 / 2 Years ago, mon, september 26, 2022, 4:49:08

Using a command line website downloader, such as wget, curl or any other one... In a script...

I have the SHA-1 and the SHA-256 certficate fingerprint of a website. Due to security concerns (1) (2), I don't want to use the public SSL certificate authority system. The fingerprint must be hard coded.

Can a wget like application check the SSL fingerprint?

wget does not have such a functionality. (3)

Using wget --ca-certificate or curl --cacert I would have to run my own local certificate authority, which I'd like to prevent, because that adds a lot complexity. It's also ultra difficult and no one did that ever before. (4)

Isn't there any tool, like

download --tlsv1 --serial-number xx:yy:zz --fingerprint xxyyzz https://site.com?

The solution must of course not be vulnerable to TOCTOU. (5) The MITM could let return a valid fingerprint for the openssl client request and tamper with the following wget request.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

shionnky

Add To Favorites

Follow

Total Points: 276

Total Questions: 104

Total Answers: 108

Location: Montenegro

Member since Thu, Jun 16, 2022

2 Years ago

shionnky questions

1 Ubuntu 21.10 won't suspend when lid closed

Sun, Feb 20, 22, 21:33, 2 Years ago

1 APT Update not responding as expected

Wed, Jul 20, 22, 04:27, 2 Years ago

1 If I try to install multiple packages with one "apt" command, it is more likely to give dependency errors

Sat, Jan 29, 22, 21:41, 2 Years ago

1 No gnome-desktop on the LAPTOP screen after connecting a second monitor(hdmi)

Wed, Jul 14, 21, 13:24, 3 Years ago

1 How to start the teamviewer service before login?

Thu, Mar 30, 23, 09:56, 1 Year ago

View All

answered 2 Years ago itteast · Accepted Answer

Source

Install required software:

apt-get install ca-certificates curl

Download the public SSL certificate:

openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt >./x.cert </dev/null

Or better:

echo -n | openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./torproject.pem

Get SHA-1 fingerprint:

openssl x509 -noout -in torproject.pem -fingerprint -sha1

Get SHA-256 fingerprint:

openssl x509 -noout -in torproject.pem -fingerprint -sha256

Manually compare SHA-1 and SHA-256 fingerprints with torproject.org FAQ: SSL.

Optionally render the ca-certificates useless for testing purposes.
Using curl here, but wget has a bug Bug and uses the ca-files anyway.

sudo mv /usr/share/ca-certificates /usr/share/ca-certificates_

Download with curl and the pinned certificate:

curl --cacert ./torproject.pem https://check.torproject.org/ > check.html