发表新帖
发表新帖

Get certificate fingerprint of HTTPS server from command line?

后端 未结
关注
5 1462
不要未来只要你来
不要未来只要你来 2020-12-01 08:54

Recently Mercurial has added certificate validation when connecting to HTTPS servers. I\'m trying to clone the wiki repository for a googlecode project at https://wiki

相关标签:
5条回答
  • 感动是毒
    2020-12-01 09:28

    this is also enough:

    openssl x509 -fingerprint -in server.crt
    0 讨论(0)
  • 臣服心动
    2020-12-01 09:36

    Background

    Since Mercurial 3.9, Mercurial requires the more secure SHA-256 fingerprint, as opposed to SHA-1 from prior versions. Jeremiah's answer explains how to compute the SHA-1 fingerprint. As pointed out in J.Money's comment, one must now add the -sha256 flag to get the correct fingerprint.

    The new command:

    openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

    where <host>:<port> should be substituted as appropriate. (To answer the original question, one would use wiki.pydlnadms.googlecode.com:443, as noted by yanokwa.) You must omit https:// from the URL, otherwise you will get the error Expecting: TRUSTED CERTIFICATE.

    One can then add the resulting SHA-256 fingerprint to Mercurial's global settings file (~/.hgrc).

    0 讨论(0)
  • 故里飘歌
    2020-12-01 09:37

    Since nobody commented on this I wanted to try and clear up some of the confusion regarding subdomains:

    the certificate is for *.googlecode.com. I was under the impression that this is called a wildcard domain and valid for all subdomains

    You are partially correct. A wildcard certificate is valid for all direct subdomains but not for subdomains of subdomains.

    So *.googlecode.com is valid for pydlnadms.googlecode.com but not for wiki.pydlnadms.googlecode.com.

    For that you'd need a certificate for *.pydlnadms.googlecode.com or a non-wildcard certificate for wiki.pydlnadms.googlecode.com

    0 讨论(0)
  • 萌比男神i
    2020-12-01 09:39

    The page at http://wiki.debuntu.org/wiki/OpenSSL#Retrieving_certificate_informations lists the command lines for that (and printing out the relevant information). From that page and some of the man pages, it seems like what you want is (for bash):

    openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

    If you want the whole certificate, leave off the | symbol and everything after it.

    0 讨论(0)
  • 我寻月下人不归
    2020-12-01 09:44

    This is an old thread but there is an easier way I found. Assuming you have the crt file:

    $ cat server.crt|openssl x509 -fingerprint 
MD5 Fingerprint=D1:BA:B0:17:66:6D:7F:42:7B:91:1E:22:7E:3A:27:D2
    0 讨论(0)
 看不清?
提交回复
热议问题