HowTo Get a Site's Certificate Fingerprint

I finally got around to setting up TLS to the IRC servers that I use. It is incredible that this is not default or that there does not even seem to be conventional ports. Freenode suggests 6697, 7000, and 7070, but there is an independent draft standard for 6697.

Another server I connect to is protected by a wildcard domain certificate, but WeeChat did not want to verify the certificate:

09:09:28 xmission  -- | irc: reconnecting to server...
09:09:28 xmission  -- | irc: connecting to server irc.xmission.com/6697 (SSL)...
09:09:28 xmission  -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange
09:09:28 xmission  -- | gnutls: receiving 1 certificate
09:09:28 xmission  -- |  - certificate[1] info:
09:09:28 xmission  -- |    - subject `CN=*.xmission.com,O=XMission Networks
09:09:28 xmission  -- |      LLC,L=Salt Lake City,ST=Utah,C=US', issuer
09:09:28 xmission  -- |      `CN=DigiCert SHA2 Secure Server CA,O=DigiCert
09:09:28 xmission  -- |      Inc,C=US', serial
09:09:28 xmission  -- |      0x081a17d0d17cfe5abd82f38b2396070e, RSA key
09:09:28 xmission  -- |      2048 bits, signed using RSA-SHA256, activated
09:09:28 xmission  -- |      `2016-02-09 00:00:00 UTC', expires `2019-04-12
09:09:28 xmission  -- |      12:00:00 UTC', key-ID
09:09:28 xmission  -- |      `sha256:a9fbe66d6490806d4c827c9a22f63c3985ffc689af85c737d060458f605b121d'
09:09:28 xmission =!= | gnutls: peer's certificate is NOT trusted
09:09:28 xmission =!= | gnutls: peer's certificate issuer is unknown
09:09:28 xmission =!= | irc: TLS handshake failed
09:09:28 xmission =!= | irc: error: Error in the certificate.

I'm not particularly interested in why the CA certificate bundle that ships with openssl or certifi (mozilla) (both of which I tried) do not automagically enable all the encryptions for this domain since I was able to find an easy workaround for my use case. The workaround involves downloading the certificate and extracting the fingerprint.

$ SERVER=irc.xmission.com
$ PORT=6697
$ echo -n | openssl s_client -connect $SERVER:$PORT 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256
SHA256 Fingerprint=D9:47:5E:E4:69:24:09:7D:57:B9:5A:A1:2F:B6:3D:94:C5:19:A2:85:46:47:F8:02:3B:24:DF:0A:87:08:33:C9

WeeChat needs the fingerprint without the delimiters (:) at the byte boundaries, so (I'm sure the multiple sed and openssl commands could be factored but that's ostensibly too much effort for the present need):

$ echo -n | openssl s_client -connect $SERVER:$PORT 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | sed 's/SHA256 Fingerprint=//' | sed 's/://g'
D9475EE46924097D57B95AA12FB63D94C519A2854647F8023B24DF0A870833C9

Now, if you randomly happen to have the exact same problem that triggered this descent of inquiry as I, execute the following commands in WeeChat:

/set irc.server.xmission.address irc.xmission.com/6697
/set irc.server.xmission.ssl on
/set irc.server.xmission.ssl_fingerprint D9475EE46924097D57B95AA12FB63D94C519A2854647F8023B24DF0A870833C9
/save
...
/reconnect xmission
...
13:02:10 xmission  -- | irc: disconnected from server
13:02:10 xmission  -- | irc: connecting to server irc.xmission.com/6697 (SSL)...
13:02:10 xmission  -- | gnutls: connected using 2048-bit Diffie-Hellman shared secret exchange
13:02:10 xmission  -- | gnutls: receiving 1 certificate
13:02:10 xmission  -- |  - certificate[1] info:
13:02:10 xmission  -- |    - subject `CN=*.xmission.com,O=XMission Networks
13:02:10 xmission  -- |      LLC,L=Salt Lake City,ST=Utah,C=US', issuer
13:02:10 xmission  -- |      `CN=DigiCert SHA2 Secure Server CA,O=DigiCert
13:02:10 xmission  -- |      Inc,C=US', serial
13:02:10 xmission  -- |      0x081a17d0d17cfe5abd82f38b2396070e, RSA key
13:02:10 xmission  -- |      2048 bits, signed using RSA-SHA256, activated
13:02:10 xmission  -- |      `2016-02-09 00:00:00 UTC', expires `2019-04-12
13:02:10 xmission  -- |      12:00:00 UTC', key-ID
13:02:10 xmission  -- |      `sha256:a9fbe66d6490806d4c827c9a22f63c3985ffc689af85c737d060458f605b121d'
13:02:10 xmission  -- | gnutls: certificate fingerprint matches
13:02:10 xmission  -- | irc: connected to irc.xmission.com/6697 (198.60.22.35)

You will have to verify whether your IRC server respects port 6697 as the TLS port.

Comments