How to verify the SSL fingerprint by command line? (wget, curl, ...)

security ssl curl wget

Source

Install required software:

apt-get install ca-certificates curl

Download the public SSL certificate:

openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt >./x.cert </dev/null

Or better:

echo -n | openssl s_client -connect torproject.org:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./torproject.pem

Get SHA-1 fingerprint:

openssl x509 -noout -in torproject.pem -fingerprint -sha1

Get SHA-256 fingerprint:

openssl x509 -noout -in torproject.pem -fingerprint -sha256

Manually compare SHA-1 and SHA-256 fingerprints with torproject.org FAQ: SSL.

.

Optionally render the ca-certificates useless for testing purposes. Using curl here, but wget has a bug Bug and uses the ca-files anyway.

sudo mv /usr/share/ca-certificates /usr/share/ca-certificates_

Download with curl and the pinned certificate:

curl --cacert ./torproject.pem https://check.torproject.org/ > check.html

In tcsh:

echo | openssl s_client -connect host.example.com:443 |& openssl x509 -fingerprint -noout

Related

What do I do if Ubuntu 16.04 freezes, but I can move only the mouse? [duplicate]
Where can I find the application executables in the filesystem?
How do I give www-data user to a folder in my home folder?
imagemagick - convert not allowed [duplicate]
Basic Ubuntu FTP Server
Using "while read..." in a linux script
Remote logging with Syslogd, can I change the hostname?
Is there a way of disabled byte-range requests in Apache?
How to redirect from FR to COM when using HTTPS [duplicate]
SSH and port forward socks proxy
Multiple broadband providers for internal web servers
Is there a free service to host failover pages? [closed]