Last active
May 8, 2022 07:26
-
-
Save ruiwen/f7aaf042e4c6dd07d7d91329f6eafefb to your computer and use it in GitHub Desktop.
Obtain Base64-encoded SHA256 hash of a servers OpenSSL pubkey used with `curl`'s `--pinnedpubkey`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Obtaining server certificate | |
| openssl s_client -CAfile ca.crt -connect "server.domain.com:443" < /dev/null 2> /dev/null | openssl x509 -outform PEM > server.crt | |
| # You may get an error like the following | |
| # CONNECTED(00000003) | |
| # 140048174458520:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: | |
| # --- | |
| # no peer certificate available | |
| # --- | |
| # No client certificate CA names sent | |
| # --- | |
| # SSL handshake has read 0 bytes and written 305 bytes | |
| # --- | |
| # | |
| # in which case you might have to use SNI (server name indication), like so | |
| openssl s_client -CAfile ca.crt -servername "server.domain.com" -connect "server.domain.com:443" < /dev/null 2> /dev/null | openssl x509 -outform PEM > server.crt | |
| # Obtaining server public key | |
| openssl s_client -CAfile ca.crt -connect "server.domain.com:443" < /dev/null 2> /dev/null | openssl x509 -pubkey -noout | |
| # Obtaining base64 encoded, SHA256 hash of pub key | |
| sed '1d;$d' server.pub | tr -d '\n' | base64 -d -w 0 | openssl dgst -sha256 -binary | base64 -w 0 | |
| # Obtaining fingerprint from cert | |
| openssl x509 -noout -in server.crt -fingerprint > leanplum.fingerprint | |
| # Using it with curl | |
| curl -vv --cacert ca.crt --pinnedpubkey "sha256//<results from above step>" "https://server.domain.com" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Returns: