http://findlay.space/enContents © 2020 <a href="mailto:justin@findlay.space">jmoney</a> <a rel="license" href="https://creativecommons.org/licenses/by-nc-sa/4.0/"> <img alt="Creative Commons License BY-NC-SA" style="border-width:0; margin-bottom:12px;" src="https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png"></a>Fri, 11 Sep 2020 20:35:47 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttp://findlay.space/posts/howto-get-a-sites-certificate-fingerprint/jmoney<div><p>I finally got around to setting up TLS to the IRC servers that I use. It is incredible that this is not default or that there does not even seem to be conventional ports. <a class="reference external" href="https://freenode.net/kb/answer/chat">Freenode</a> <a class="reference external" href="https://freenode.net/news/port-6697-irc-via-tlsssl">suggests</a> <code class="docutils literal">6697</code>, <code class="docutils literal">7000</code>, and <code class="docutils literal">7070</code>, but there is an <a class="reference external" href="https://tools.ietf.org/html/draft-hartmann-default-port-for-irc-via-tls-ssl-09">independent draft standard</a> for <code class="docutils literal">6697</code>.</p> <!-- TEASER_END --> <p><a class="reference external" href="irc://irc.xmission.com/">Another server</a> I connect to is protected by a wildcard domain certificate, but WeeChat did not want to verify the certificate:</p> <pre class="code irc"><a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-1"></a>09:09:28 xmission -- | irc: reconnecting to server... <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-2"></a>09:09:28 xmission -- | irc: connecting to server irc.xmission.com/6697 (SSL)... <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-3"></a>09:09:28 xmission -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-4"></a>09:09:28 xmission -- | gnutls: receiving 1 certificate <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-5"></a>09:09:28 xmission -- | - certificate[1] info: <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-6"></a>09:09:28 xmission -- | - subject `CN=*.xmission.com,O=XMission Networks <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-7"></a>09:09:28 xmission -- | LLC,L=Salt Lake City,ST=Utah,C=US', issuer <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-8"></a>09:09:28 xmission -- | `CN=DigiCert SHA2 Secure Server CA,O=DigiCert <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-9"></a>09:09:28 xmission -- | Inc,C=US', serial <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-10"></a>09:09:28 xmission -- | 0x081a17d0d17cfe5abd82f38b2396070e, RSA key <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-11"></a>09:09:28 xmission -- | 2048 bits, signed using RSA-SHA256, activated <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-12"></a>09:09:28 xmission -- | `2016-02-09 00:00:00 UTC', expires `2019-04-12 <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-13"></a>09:09:28 xmission -- | 12:00:00 UTC', key-ID <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-14"></a>09:09:28 xmission -- | `sha256:a9fbe66d6490806d4c827c9a22f63c3985ffc689af85c737d060458f605b121d' <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-15"></a>09:09:28 xmission =!= | gnutls: peer's certificate is NOT trusted <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-16"></a>09:09:28 xmission =!= | gnutls: peer's certificate issuer is unknown <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-17"></a>09:09:28 xmission =!= | irc: TLS handshake failed <a name="rest_code_a8b0bb68a3f94c7b9fc1e95a4a0fe5f1-18"></a>09:09:28 xmission =!= | irc: error: Error in the certificate. </pre><p>I'm not particularly interested in why the CA certificate bundle that ships with openssl or certifi (mozilla) (both of which I tried) do not automagically enable all the encryptions for this domain since I was able to find an easy workaround for my use case. The workaround involves <a class="reference external" href="https://serverfault.com/questions/139728/192731">downloading the certificate</a> and <a class="reference external" href="https://unix.stackexchange.com/questions/140601/140606">extracting the fingerprint</a>.</p> <pre class="code bash"><a name="rest_code_2ea4d9d2010844938a9bfd8658e020aa-1"></a>$ <span class="nv">SERVER</span><span class="o">=</span>irc.xmission.com <a name="rest_code_2ea4d9d2010844938a9bfd8658e020aa-2"></a>$ <span class="nv">PORT</span><span class="o">=</span><span class="m">6697</span> <a name="rest_code_2ea4d9d2010844938a9bfd8658e020aa-3"></a>$ <span class="nb">echo</span> -n <span class="p">|</span> openssl s_client -connect <span class="nv">$SERVER</span>:<span class="nv">$PORT</span> <span class="m">2</span>&gt;/dev/null <span class="p">|</span> sed -ne <span class="s1">'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'</span> <span class="p">|</span> openssl x509 -noout -fingerprint -sha256 <a name="rest_code_2ea4d9d2010844938a9bfd8658e020aa-4"></a>SHA256 <span class="nv">Fingerprint</span><span class="o">=</span>D9:47:5E:E4:69:24:09:7D:57:B9:5A:A1:2F:B6:3D:94:C5:19:A2:85:46:47:F8:02:3B:24:DF:0A:87:08:33:C9 </pre><p>WeeChat needs the fingerprint without the delimiters (<code class="docutils literal">:</code>) at the byte boundaries, so (I'm sure the multiple sed and openssl commands could be factored but that's ostensibly too much effort for the present need):</p> <pre class="code bash"><a name="rest_code_739b2e16110e40f7b97871e4e8ca7d8d-1"></a>$ <span class="nb">echo</span> -n <span class="p">|</span> openssl s_client -connect <span class="nv">$SERVER</span>:<span class="nv">$PORT</span> <span class="m">2</span>&gt;/dev/null <span class="p">|</span> sed -ne <span class="s1">'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'</span> <span class="p">|</span> openssl x509 -noout -fingerprint -sha256 <span class="p">|</span> sed <span class="s1">'s/SHA256 Fingerprint=//'</span> <span class="p">|</span> sed <span class="s1">'s/://g'</span> <a name="rest_code_739b2e16110e40f7b97871e4e8ca7d8d-2"></a>D9475EE46924097D57B95AA12FB63D94C519A2854647F8023B24DF0A870833C9 </pre><p>Now, if you randomly happen to have the exact same problem that triggered this descent of inquiry as I, execute the following commands in WeeChat:</p> <pre class="code irc"><a name="rest_code_abd46acd85154036a63583df82218826-1"></a>/set irc.server.xmission.address irc.xmission.com/6697 <a name="rest_code_abd46acd85154036a63583df82218826-2"></a>/set irc.server.xmission.ssl on <a name="rest_code_abd46acd85154036a63583df82218826-3"></a>/set irc.server.xmission.ssl_fingerprint D9475EE46924097D57B95AA12FB63D94C519A2854647F8023B24DF0A870833C9 <a name="rest_code_abd46acd85154036a63583df82218826-4"></a>/save <a name="rest_code_abd46acd85154036a63583df82218826-5"></a>... <a name="rest_code_abd46acd85154036a63583df82218826-6"></a>/reconnect xmission <a name="rest_code_abd46acd85154036a63583df82218826-7"></a>... <a name="rest_code_abd46acd85154036a63583df82218826-8"></a>13:02:10 xmission -- | irc: disconnected from server <a name="rest_code_abd46acd85154036a63583df82218826-9"></a>13:02:10 xmission -- | irc: connecting to server irc.xmission.com/6697 (SSL)... <a name="rest_code_abd46acd85154036a63583df82218826-10"></a>13:02:10 xmission -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange <a name="rest_code_abd46acd85154036a63583df82218826-11"></a>13:02:10 xmission -- | gnutls: receiving 1 certificate <a name="rest_code_abd46acd85154036a63583df82218826-12"></a>13:02:10 xmission -- | - certificate[1] info: <a name="rest_code_abd46acd85154036a63583df82218826-13"></a>13:02:10 xmission -- | - subject `CN=*.xmission.com,O=XMission Networks <a name="rest_code_abd46acd85154036a63583df82218826-14"></a>13:02:10 xmission -- | LLC,L=Salt Lake City,ST=Utah,C=US', issuer <a name="rest_code_abd46acd85154036a63583df82218826-15"></a>13:02:10 xmission -- | `CN=DigiCert SHA2 Secure Server CA,O=DigiCert <a name="rest_code_abd46acd85154036a63583df82218826-16"></a>13:02:10 xmission -- | Inc,C=US', serial <a name="rest_code_abd46acd85154036a63583df82218826-17"></a>13:02:10 xmission -- | 0x081a17d0d17cfe5abd82f38b2396070e, RSA key <a name="rest_code_abd46acd85154036a63583df82218826-18"></a>13:02:10 xmission -- | 2048 bits, signed using RSA-SHA256, activated <a name="rest_code_abd46acd85154036a63583df82218826-19"></a>13:02:10 xmission -- | `2016-02-09 00:00:00 UTC', expires `2019-04-12 <a name="rest_code_abd46acd85154036a63583df82218826-20"></a>13:02:10 xmission -- | 12:00:00 UTC', key-ID <a name="rest_code_abd46acd85154036a63583df82218826-21"></a>13:02:10 xmission -- | `sha256:a9fbe66d6490806d4c827c9a22f63c3985ffc689af85c737d060458f605b121d' <a name="rest_code_abd46acd85154036a63583df82218826-22"></a>13:02:10 xmission -- | gnutls: certificate fingerprint matches <a name="rest_code_abd46acd85154036a63583df82218826-23"></a>13:02:10 xmission -- | irc: connected to irc.xmission.com/6697 (198.60.22.35) </pre><p>You will have to verify whether your IRC server <a class="reference external" href="https://tools.ietf.org/html/draft-hartmann-default-port-for-irc-via-tls-ssl-09">respects</a> port <code class="docutils literal">6697</code> as the TLS port.</p></div>certificatefingerprintopensslshatlsweechathttp://findlay.space/posts/howto-get-a-sites-certificate-fingerprint/Mon, 12 Feb 2018 21:16:29 GMT