How to verify the SSL fingerprint by command line? (wget, curl, ...)
Source
Install required software:
apt-get install ca-certificates curl
Download the public SSL certificate:
openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt >./x.cert </dev/null
Or better:
echo -n | openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./torproject.pem
Get SHA-1 fingerprint:
openssl x509 -noout -in torproject.pem -fingerprint -sha1
Get SHA-256 fingerprint:
openssl x509 -noout -in torproject.pem -fingerprint -sha256
Manually compare SHA-1 and SHA-256 fingerprints with torproject.org FAQ: SSL.
.
Optionally render the ca-certificates useless for testing purposes. Using curl here, but wget has a bug Bug and uses the ca-files anyway.
sudo mv /usr/share/ca-certificates /usr/share/ca-certificates_
Download with curl and the pinned certificate:
curl --cacert ./torproject.pem https://check.torproject.org/ > check.html
In tcsh:
echo | openssl s_client -connect host.example.com:443 |& openssl x509 -fingerprint -noout