How to verify the SSL fingerprint by command line? (wget, curl, ...)

Source

Install required software:

apt-get install ca-certificates curl

Download the public SSL certificate:

openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt >./x.cert </dev/null

Or better:

echo -n | openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./torproject.pem

Get SHA-1 fingerprint:

openssl x509 -noout -in torproject.pem -fingerprint -sha1

Get SHA-256 fingerprint:

openssl x509 -noout -in torproject.pem -fingerprint -sha256

Manually compare SHA-1 and SHA-256 fingerprints with torproject.org FAQ: SSL.

.

Optionally render the ca-certificates useless for testing purposes. Using curl here, but wget has a bug Bug and uses the ca-files anyway.

sudo mv /usr/share/ca-certificates /usr/share/ca-certificates_

Download with curl and the pinned certificate:

curl --cacert ./torproject.pem https://check.torproject.org/ > check.html

In tcsh:

echo | openssl s_client -connect host.example.com:443 |& openssl x509 -fingerprint -noout