I have a basic question regarding fingerprints of https certificates, the specific case I wanted to check being my online banking service. With firefox on linux, I can visit the specific web page and then click on the green lock and go to inspect the certificate, more precisely I can look at its SHA-256 fingerprint. If I now want to compare it with this service it seems to me I cannot find the same SHA-256 fingerprint there, or at least not in the same format, so what to check? also, is there a simple shell script that automates the previous check that I did with firefox, somethin like curl https... | sha256sum
?
Add a comment
|
1 Answer
Try this
echo -n | openssl s_client -connect www.security.us.hsbc.com:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256
The output should look like this:
$ echo -n | openssl s_client -connect www.security.us.hsbc.com:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256
SHA256 Fingerprint=2B:53:3C:29:EF:1E:DD:62:5A:A0:2A:D6:45:99:3C:6E:3F:6E:85:02:F5:D9:1A:85:8B:43:4E:82:90:D9:9C:65
Notice that the SHA256 fingerprint matches the screen shot below taken from Firefox
-
thanks for your answer. indeed it works on google.com, but when it try it on security.us.hsbc.com/gsa/SECURITY_LOGON_PAGE with or without the https : // www stuff or cutting from gsa/.., then I get: unable to load certificate 140652896214976:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE. do you know what i'm missing?– jj_pCommented Sep 28, 2017 at 17:20
-
It doesn't seem like that subdomain exists
$ host security.us.hsbc.com/ Host security.us.hsbc.com/ not found: 3(NXDOMAIN)
Commented Sep 28, 2017 at 17:29 -
1also, certificates are bound to domains and subdomains, you should not include anything after the .com or other TLD Commented Sep 28, 2017 at 17:29
-
Ok, I understand what you say, but still firefox gives a certificate fingerprint for that page that is different than us.hsbc.com. if i click on the link i provided indeed it gives error, but if i access it by going first to us.hsbc.com/1/2/home/personal-banking and then click log on button, that't the certificate i'd like to check– jj_pCommented Sep 28, 2017 at 17:33
-
btw the script output seems to be 2/3 in length of sha256 fingerprint that i get from firefox, is it a different format?– jj_pCommented Sep 28, 2017 at 17:36