How to verify self-signed certificate?












1















I use Net::Jabber::Client to send messages via XMPP.



The server I am connecting to uses self-signed certificate:



DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 45728400

DEBUG: .../IO/Socket/SSL.pm:1540: start handshake

DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started

DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname my.host.name

DEBUG: .../IO/Socket/SSL.pm:785: request OCSP stapling

DEBUG: .../IO/Socket/SSL.pm:806: set socket to non-blocking to enforce timeout=10

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress

DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL wants a read first

DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:2754: did not get stapled OCSP response

DEBUG: .../IO/Socket/SSL.pm:2707: ok=0 [0] /CN=my.host.name/CN=my.host.name

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:825: SSL connect attempt failed



DEBUG: .../IO/Socket/SSL.pm:825: local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:828: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:1963: downgrading SSL only, not closing socket

DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 45728400 open=

DEBUG: .../IO/Socket/SSL.pm:2879: free ctx 45728400 callback

DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 45728400


I have found that I can pass SSL_fingerprint and/or SSL_verifycn_name to pass verification of self-signed certificate.



To make it just work I hack this



my %ssl_params = (

    SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},

    SSL_hostname    => 'my.host.name',

    SSL_verifycn_name => 'my.host.name',

);


without success =(



I try to use ->get_fingerprint to obtain finger print and pass it to SSL_fingerprint parameter, but:



IO::Socket::SSL->start_SSL(

    $self->{SIDS}->{$sid}->{sock},

    $self->{SIDS}->{$sid}->{ssl_params}

) or die "$IO::Socket::SSL::SSL_ERROR";


fail with error:



SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at


Which option to pass to IO::Socket::SSL to verify self-signed certificate?






perl ssl ssl-certificate io-socket-ssl







share|improve this question























  • Try with SSL_ca_path/SSL_ca_file to set things with the specific certificate you get (but you will have to maintain that each time it changes). The checks on hostname happens after the CA check. You may see people advising to remove any checks with SSL_verify_mode => SSL_VERIFY_NONE but that would be a very dangerous idea, so not to follow.

    – Patrick Mevzek
    Nov 20 '18 at 19:56











  • @PatrickMevzek How is that more dangerous than trusting self-signed certificates?

    – melpomene
    Nov 20 '18 at 20:00






  • 1





    @melpomene The difference between trusting one specific certificate that you specifically added in your code/configuration (after having made sure it is the correct one) and trusting any random certificate that you know nothing about. TLS provides multiple guarantees and while people concentrate on integrity, in fact authentication is more important. Which is why removing any kind of authentication is almost always a bad idea, as in the end you can have an hypersecure confidential connection... to some endpoint that is not the one you think you connect to.

    – Patrick Mevzek
    Nov 20 '18 at 20:08


















1















I use Net::Jabber::Client to send messages via XMPP.



The server I am connecting to uses self-signed certificate:



DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 45728400

DEBUG: .../IO/Socket/SSL.pm:1540: start handshake

DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started

DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname my.host.name

DEBUG: .../IO/Socket/SSL.pm:785: request OCSP stapling

DEBUG: .../IO/Socket/SSL.pm:806: set socket to non-blocking to enforce timeout=10

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress

DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL wants a read first

DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:2754: did not get stapled OCSP response

DEBUG: .../IO/Socket/SSL.pm:2707: ok=0 [0] /CN=my.host.name/CN=my.host.name

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:825: SSL connect attempt failed



DEBUG: .../IO/Socket/SSL.pm:825: local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:828: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:1963: downgrading SSL only, not closing socket

DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 45728400 open=

DEBUG: .../IO/Socket/SSL.pm:2879: free ctx 45728400 callback

DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 45728400


I have found that I can pass SSL_fingerprint and/or SSL_verifycn_name to pass verification of self-signed certificate.



To make it just work I hack this



my %ssl_params = (

    SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},

    SSL_hostname    => 'my.host.name',

    SSL_verifycn_name => 'my.host.name',

);


without success =(



I try to use ->get_fingerprint to obtain finger print and pass it to SSL_fingerprint parameter, but:



IO::Socket::SSL->start_SSL(

    $self->{SIDS}->{$sid}->{sock},

    $self->{SIDS}->{$sid}->{ssl_params}

) or die "$IO::Socket::SSL::SSL_ERROR";


fail with error:



SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at


Which option to pass to IO::Socket::SSL to verify self-signed certificate?






perl ssl ssl-certificate io-socket-ssl







share|improve this question























  • Try with SSL_ca_path/SSL_ca_file to set things with the specific certificate you get (but you will have to maintain that each time it changes). The checks on hostname happens after the CA check. You may see people advising to remove any checks with SSL_verify_mode => SSL_VERIFY_NONE but that would be a very dangerous idea, so not to follow.

    – Patrick Mevzek
    Nov 20 '18 at 19:56











  • @PatrickMevzek How is that more dangerous than trusting self-signed certificates?

    – melpomene
    Nov 20 '18 at 20:00






  • 1





    @melpomene The difference between trusting one specific certificate that you specifically added in your code/configuration (after having made sure it is the correct one) and trusting any random certificate that you know nothing about. TLS provides multiple guarantees and while people concentrate on integrity, in fact authentication is more important. Which is why removing any kind of authentication is almost always a bad idea, as in the end you can have an hypersecure confidential connection... to some endpoint that is not the one you think you connect to.

    – Patrick Mevzek
    Nov 20 '18 at 20:08
















1












1








1








I use Net::Jabber::Client to send messages via XMPP.



The server I am connecting to uses self-signed certificate:



DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 45728400

DEBUG: .../IO/Socket/SSL.pm:1540: start handshake

DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started

DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname my.host.name

DEBUG: .../IO/Socket/SSL.pm:785: request OCSP stapling

DEBUG: .../IO/Socket/SSL.pm:806: set socket to non-blocking to enforce timeout=10

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress

DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL wants a read first

DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:2754: did not get stapled OCSP response

DEBUG: .../IO/Socket/SSL.pm:2707: ok=0 [0] /CN=my.host.name/CN=my.host.name

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:825: SSL connect attempt failed



DEBUG: .../IO/Socket/SSL.pm:825: local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:828: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:1963: downgrading SSL only, not closing socket

DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 45728400 open=

DEBUG: .../IO/Socket/SSL.pm:2879: free ctx 45728400 callback

DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 45728400


I have found that I can pass SSL_fingerprint and/or SSL_verifycn_name to pass verification of self-signed certificate.



To make it just work I hack this



my %ssl_params = (

    SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},

    SSL_hostname    => 'my.host.name',

    SSL_verifycn_name => 'my.host.name',

);


without success =(



I try to use ->get_fingerprint to obtain finger print and pass it to SSL_fingerprint parameter, but:



IO::Socket::SSL->start_SSL(

    $self->{SIDS}->{$sid}->{sock},

    $self->{SIDS}->{$sid}->{ssl_params}

) or die "$IO::Socket::SSL::SSL_ERROR";


fail with error:



SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at


Which option to pass to IO::Socket::SSL to verify self-signed certificate?






perl ssl ssl-certificate io-socket-ssl







share|improve this question














I use Net::Jabber::Client to send messages via XMPP.



The server I am connecting to uses self-signed certificate:



DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 45728400

DEBUG: .../IO/Socket/SSL.pm:1540: start handshake

DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started

DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname my.host.name

DEBUG: .../IO/Socket/SSL.pm:785: request OCSP stapling

DEBUG: .../IO/Socket/SSL.pm:806: set socket to non-blocking to enforce timeout=10

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress

DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL wants a read first

DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect

DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect

DEBUG: .../IO/Socket/SSL.pm:2754: did not get stapled OCSP response

DEBUG: .../IO/Socket/SSL.pm:2707: ok=0 [0] /CN=my.host.name/CN=my.host.name

DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1

DEBUG: .../IO/Socket/SSL.pm:825: SSL connect attempt failed



DEBUG: .../IO/Socket/SSL.pm:825: local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:828: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:1963: downgrading SSL only, not closing socket

DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 45728400 open=

DEBUG: .../IO/Socket/SSL.pm:2879: free ctx 45728400 callback

DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 45728400


I have found that I can pass SSL_fingerprint and/or SSL_verifycn_name to pass verification of self-signed certificate.



To make it just work I hack this



my %ssl_params = (

    SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},

    SSL_hostname    => 'my.host.name',

    SSL_verifycn_name => 'my.host.name',

);


without success =(



I try to use ->get_fingerprint to obtain finger print and pass it to SSL_fingerprint parameter, but:



IO::Socket::SSL->start_SSL(

    $self->{SIDS}->{$sid}->{sock},

    $self->{SIDS}->{$sid}->{ssl_params}

) or die "$IO::Socket::SSL::SSL_ERROR";


fail with error:



SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at


Which option to pass to IO::Socket::SSL to verify self-signed certificate?






perl ssl ssl-certificate io-socket-ssl




perl ssl ssl-certificate io-socket-ssl






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 20 '18 at 19:30









Eugen KonkovEugen Konkov

5,89533861




5,89533861













  • Try with SSL_ca_path/SSL_ca_file to set things with the specific certificate you get (but you will have to maintain that each time it changes). The checks on hostname happens after the CA check. You may see people advising to remove any checks with SSL_verify_mode => SSL_VERIFY_NONE but that would be a very dangerous idea, so not to follow.

    – Patrick Mevzek
    Nov 20 '18 at 19:56











  • @PatrickMevzek How is that more dangerous than trusting self-signed certificates?

    – melpomene
    Nov 20 '18 at 20:00






  • 1





    @melpomene The difference between trusting one specific certificate that you specifically added in your code/configuration (after having made sure it is the correct one) and trusting any random certificate that you know nothing about. TLS provides multiple guarantees and while people concentrate on integrity, in fact authentication is more important. Which is why removing any kind of authentication is almost always a bad idea, as in the end you can have an hypersecure confidential connection... to some endpoint that is not the one you think you connect to.

    – Patrick Mevzek
    Nov 20 '18 at 20:08





















  • Try with SSL_ca_path/SSL_ca_file to set things with the specific certificate you get (but you will have to maintain that each time it changes). The checks on hostname happens after the CA check. You may see people advising to remove any checks with SSL_verify_mode => SSL_VERIFY_NONE but that would be a very dangerous idea, so not to follow.

    – Patrick Mevzek
    Nov 20 '18 at 19:56











  • @PatrickMevzek How is that more dangerous than trusting self-signed certificates?

    – melpomene
    Nov 20 '18 at 20:00






  • 1





    @melpomene The difference between trusting one specific certificate that you specifically added in your code/configuration (after having made sure it is the correct one) and trusting any random certificate that you know nothing about. TLS provides multiple guarantees and while people concentrate on integrity, in fact authentication is more important. Which is why removing any kind of authentication is almost always a bad idea, as in the end you can have an hypersecure confidential connection... to some endpoint that is not the one you think you connect to.

    – Patrick Mevzek
    Nov 20 '18 at 20:08



















Try with SSL_ca_path/SSL_ca_file to set things with the specific certificate you get (but you will have to maintain that each time it changes). The checks on hostname happens after the CA check. You may see people advising to remove any checks with SSL_verify_mode => SSL_VERIFY_NONE but that would be a very dangerous idea, so not to follow.

– Patrick Mevzek
Nov 20 '18 at 19:56





Try with SSL_ca_path/SSL_ca_file to set things with the specific certificate you get (but you will have to maintain that each time it changes). The checks on hostname happens after the CA check. You may see people advising to remove any checks with SSL_verify_mode => SSL_VERIFY_NONE but that would be a very dangerous idea, so not to follow.

– Patrick Mevzek
Nov 20 '18 at 19:56













@PatrickMevzek How is that more dangerous than trusting self-signed certificates?

– melpomene
Nov 20 '18 at 20:00





@PatrickMevzek How is that more dangerous than trusting self-signed certificates?

– melpomene
Nov 20 '18 at 20:00




1




1





@melpomene The difference between trusting one specific certificate that you specifically added in your code/configuration (after having made sure it is the correct one) and trusting any random certificate that you know nothing about. TLS provides multiple guarantees and while people concentrate on integrity, in fact authentication is more important. Which is why removing any kind of authentication is almost always a bad idea, as in the end you can have an hypersecure confidential connection... to some endpoint that is not the one you think you connect to.

– Patrick Mevzek
Nov 20 '18 at 20:08







@melpomene The difference between trusting one specific certificate that you specifically added in your code/configuration (after having made sure it is the correct one) and trusting any random certificate that you know nothing about. TLS provides multiple guarantees and while people concentrate on integrity, in fact authentication is more important. Which is why removing any kind of authentication is almost always a bad idea, as in the end you can have an hypersecure confidential connection... to some endpoint that is not the one you think you connect to.

– Patrick Mevzek
Nov 20 '18 at 20:08














2 Answers
2






active

oldest

votes


















2














Using the fingerprint is probably the easiest way to verify a self-signed certificate which is in your own control. When using SSL_fingerprint it will not care about any other kind of validations, i.e. not check the name, revocation, expiration etc anymore - so if you want to have checks for this too you should not use SSL_fingerprint.



Getting the fingerprint of a site can be done by connecting to the site once without validation (since you have no trust in the certificate yet) and getting the fingerprint or by getting the fingerprint from the certificate directly.



To get the fingerprint by asking the server, assuming that the connection is not intercepted so that you get the correct fingerprint:



use IO::Socket::SSL;

print IO::Socket::SSL->new(

    PeerHost => 'example.com:443',

    # switch off validation since the certificate is not trusted yet

    SSL_verify_mode => SSL_VERIFY_NONE,

)->get_fingerprint,"n";


This currently gives sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040 which can be directly used as argument for SSL_fingerprint.



If you have instead the certificate for the site already you can compute the fingerprint directly on it:



# get the certificate

$ openssl s_client -connect example.com:443 -servername example.com 

...

-----BEGIN CERTIFICATE-----

MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw

...

-----END CERTIFICATE-----



# take this PEM certificate and get fingerprint

$ openssl x509 -fingerprint -sha256 -noout -in cert.pem

SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40


The shown fingerprint is practically the same as before, only written in a different way. By removing all ':' (which are only there for readability) one gets 642DE5....1040 and by prefixing it with the used hash algorithm sha256 one gets something to be usable in SSL_fingerprint: sha256$642DE5...1040.



To use the fingerprint then to connect to the site:



my $cl = IO::Socket::SSL->new(

    PeerHost => 'example.com:443',

    SSL_fingerprint => 'sha256$642DE5...1040'

);





share|improve this answer































    1














    IO::Socket::SSL can verify self signed certificate only if it trusts the certificate authority file that you use to self sign the certificate.



    I think you need to pass proper SSL_ca_file or SSL_ca_path to IO::Socket::SSL so that certificate authority file is accessible to it. This is the first thing mentioned in common usage errors section of IO::Socket::SSL docs.






    share|improve this answer


























    • yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

      – Eugen Konkov
      Nov 21 '18 at 11:43











    • But this format is differ from IO::Socket::SSL module format.

      – Eugen Konkov
      Nov 21 '18 at 11:43






    • 1





      unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

      – pii_ke
      Nov 22 '18 at 6:27






    • 1





      Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

      – pii_ke
      Nov 22 '18 at 6:34













    • Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

      – Eugen Konkov
      Nov 22 '18 at 9:02











    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53400241%2fhow-to-verify-self-signed-certificate%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Using the fingerprint is probably the easiest way to verify a self-signed certificate which is in your own control. When using SSL_fingerprint it will not care about any other kind of validations, i.e. not check the name, revocation, expiration etc anymore - so if you want to have checks for this too you should not use SSL_fingerprint.



    Getting the fingerprint of a site can be done by connecting to the site once without validation (since you have no trust in the certificate yet) and getting the fingerprint or by getting the fingerprint from the certificate directly.



    To get the fingerprint by asking the server, assuming that the connection is not intercepted so that you get the correct fingerprint:



    use IO::Socket::SSL;
    
print IO::Socket::SSL->new(
    
    PeerHost => 'example.com:443',
    
    # switch off validation since the certificate is not trusted yet
    
    SSL_verify_mode => SSL_VERIFY_NONE,
    
)->get_fingerprint,"n";


    This currently gives sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040 which can be directly used as argument for SSL_fingerprint.



    If you have instead the certificate for the site already you can compute the fingerprint directly on it:



    # get the certificate
    
$ openssl s_client -connect example.com:443 -servername example.com 
    
...
    
-----BEGIN CERTIFICATE-----
    
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
    
...
    
-----END CERTIFICATE-----
    

    
# take this PEM certificate and get fingerprint
    
$ openssl x509 -fingerprint -sha256 -noout -in cert.pem
    
SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40


    The shown fingerprint is practically the same as before, only written in a different way. By removing all ':' (which are only there for readability) one gets 642DE5....1040 and by prefixing it with the used hash algorithm sha256 one gets something to be usable in SSL_fingerprint: sha256$642DE5...1040.



    To use the fingerprint then to connect to the site:



    my $cl = IO::Socket::SSL->new(
    
    PeerHost => 'example.com:443',
    
    SSL_fingerprint => 'sha256$642DE5...1040'
    
);





    share|improve this answer




























      2














      Using the fingerprint is probably the easiest way to verify a self-signed certificate which is in your own control. When using SSL_fingerprint it will not care about any other kind of validations, i.e. not check the name, revocation, expiration etc anymore - so if you want to have checks for this too you should not use SSL_fingerprint.



      Getting the fingerprint of a site can be done by connecting to the site once without validation (since you have no trust in the certificate yet) and getting the fingerprint or by getting the fingerprint from the certificate directly.



      To get the fingerprint by asking the server, assuming that the connection is not intercepted so that you get the correct fingerprint:



      use IO::Socket::SSL;
      
print IO::Socket::SSL->new(
      
    PeerHost => 'example.com:443',
      
    # switch off validation since the certificate is not trusted yet
      
    SSL_verify_mode => SSL_VERIFY_NONE,
      
)->get_fingerprint,"n";


      This currently gives sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040 which can be directly used as argument for SSL_fingerprint.



      If you have instead the certificate for the site already you can compute the fingerprint directly on it:



      # get the certificate
      
$ openssl s_client -connect example.com:443 -servername example.com 
      
...
      
-----BEGIN CERTIFICATE-----
      
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
      
...
      
-----END CERTIFICATE-----
      

      
# take this PEM certificate and get fingerprint
      
$ openssl x509 -fingerprint -sha256 -noout -in cert.pem
      
SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40


      The shown fingerprint is practically the same as before, only written in a different way. By removing all ':' (which are only there for readability) one gets 642DE5....1040 and by prefixing it with the used hash algorithm sha256 one gets something to be usable in SSL_fingerprint: sha256$642DE5...1040.



      To use the fingerprint then to connect to the site:



      my $cl = IO::Socket::SSL->new(
      
    PeerHost => 'example.com:443',
      
    SSL_fingerprint => 'sha256$642DE5...1040'
      
);





      share|improve this answer


























        2












        2








        2







        Using the fingerprint is probably the easiest way to verify a self-signed certificate which is in your own control. When using SSL_fingerprint it will not care about any other kind of validations, i.e. not check the name, revocation, expiration etc anymore - so if you want to have checks for this too you should not use SSL_fingerprint.



        Getting the fingerprint of a site can be done by connecting to the site once without validation (since you have no trust in the certificate yet) and getting the fingerprint or by getting the fingerprint from the certificate directly.



        To get the fingerprint by asking the server, assuming that the connection is not intercepted so that you get the correct fingerprint:



        use IO::Socket::SSL;
        
print IO::Socket::SSL->new(
        
    PeerHost => 'example.com:443',
        
    # switch off validation since the certificate is not trusted yet
        
    SSL_verify_mode => SSL_VERIFY_NONE,
        
)->get_fingerprint,"n";


        This currently gives sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040 which can be directly used as argument for SSL_fingerprint.



        If you have instead the certificate for the site already you can compute the fingerprint directly on it:



        # get the certificate
        
$ openssl s_client -connect example.com:443 -servername example.com 
        
...
        
-----BEGIN CERTIFICATE-----
        
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
        
...
        
-----END CERTIFICATE-----
        

        
# take this PEM certificate and get fingerprint
        
$ openssl x509 -fingerprint -sha256 -noout -in cert.pem
        
SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40


        The shown fingerprint is practically the same as before, only written in a different way. By removing all ':' (which are only there for readability) one gets 642DE5....1040 and by prefixing it with the used hash algorithm sha256 one gets something to be usable in SSL_fingerprint: sha256$642DE5...1040.



        To use the fingerprint then to connect to the site:



        my $cl = IO::Socket::SSL->new(
        
    PeerHost => 'example.com:443',
        
    SSL_fingerprint => 'sha256$642DE5...1040'
        
);





        share|improve this answer













        Using the fingerprint is probably the easiest way to verify a self-signed certificate which is in your own control. When using SSL_fingerprint it will not care about any other kind of validations, i.e. not check the name, revocation, expiration etc anymore - so if you want to have checks for this too you should not use SSL_fingerprint.



        Getting the fingerprint of a site can be done by connecting to the site once without validation (since you have no trust in the certificate yet) and getting the fingerprint or by getting the fingerprint from the certificate directly.



        To get the fingerprint by asking the server, assuming that the connection is not intercepted so that you get the correct fingerprint:



        use IO::Socket::SSL;
        
print IO::Socket::SSL->new(
        
    PeerHost => 'example.com:443',
        
    # switch off validation since the certificate is not trusted yet
        
    SSL_verify_mode => SSL_VERIFY_NONE,
        
)->get_fingerprint,"n";


        This currently gives sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040 which can be directly used as argument for SSL_fingerprint.



        If you have instead the certificate for the site already you can compute the fingerprint directly on it:



        # get the certificate
        
$ openssl s_client -connect example.com:443 -servername example.com 
        
...
        
-----BEGIN CERTIFICATE-----
        
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
        
...
        
-----END CERTIFICATE-----
        

        
# take this PEM certificate and get fingerprint
        
$ openssl x509 -fingerprint -sha256 -noout -in cert.pem
        
SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40


        The shown fingerprint is practically the same as before, only written in a different way. By removing all ':' (which are only there for readability) one gets 642DE5....1040 and by prefixing it with the used hash algorithm sha256 one gets something to be usable in SSL_fingerprint: sha256$642DE5...1040.



        To use the fingerprint then to connect to the site:



        my $cl = IO::Socket::SSL->new(
        
    PeerHost => 'example.com:443',
        
    SSL_fingerprint => 'sha256$642DE5...1040'
        
);






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 23 '18 at 4:14









        Steffen UllrichSteffen Ullrich

        60.6k35898




        60.6k35898

























            1














            IO::Socket::SSL can verify self signed certificate only if it trusts the certificate authority file that you use to self sign the certificate.



            I think you need to pass proper SSL_ca_file or SSL_ca_path to IO::Socket::SSL so that certificate authority file is accessible to it. This is the first thing mentioned in common usage errors section of IO::Socket::SSL docs.






            share|improve this answer


























            • yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

              – Eugen Konkov
              Nov 21 '18 at 11:43











            • But this format is differ from IO::Socket::SSL module format.

              – Eugen Konkov
              Nov 21 '18 at 11:43






            • 1





              unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

              – pii_ke
              Nov 22 '18 at 6:27






            • 1





              Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

              – pii_ke
              Nov 22 '18 at 6:34













            • Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

              – Eugen Konkov
              Nov 22 '18 at 9:02
















            1














            IO::Socket::SSL can verify self signed certificate only if it trusts the certificate authority file that you use to self sign the certificate.



            I think you need to pass proper SSL_ca_file or SSL_ca_path to IO::Socket::SSL so that certificate authority file is accessible to it. This is the first thing mentioned in common usage errors section of IO::Socket::SSL docs.






            share|improve this answer


























            • yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

              – Eugen Konkov
              Nov 21 '18 at 11:43











            • But this format is differ from IO::Socket::SSL module format.

              – Eugen Konkov
              Nov 21 '18 at 11:43






            • 1





              unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

              – pii_ke
              Nov 22 '18 at 6:27






            • 1





              Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

              – pii_ke
              Nov 22 '18 at 6:34













            • Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

              – Eugen Konkov
              Nov 22 '18 at 9:02














            1












            1








            1







            IO::Socket::SSL can verify self signed certificate only if it trusts the certificate authority file that you use to self sign the certificate.



            I think you need to pass proper SSL_ca_file or SSL_ca_path to IO::Socket::SSL so that certificate authority file is accessible to it. This is the first thing mentioned in common usage errors section of IO::Socket::SSL docs.






            share|improve this answer















            IO::Socket::SSL can verify self signed certificate only if it trusts the certificate authority file that you use to self sign the certificate.



            I think you need to pass proper SSL_ca_file or SSL_ca_path to IO::Socket::SSL so that certificate authority file is accessible to it. This is the first thing mentioned in common usage errors section of IO::Socket::SSL docs.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Nov 20 '18 at 20:17

























            answered Nov 20 '18 at 20:03









            pii_kepii_ke

            1,2201019




            1,2201019













            • yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

              – Eugen Konkov
              Nov 21 '18 at 11:43











            • But this format is differ from IO::Socket::SSL module format.

              – Eugen Konkov
              Nov 21 '18 at 11:43






            • 1





              unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

              – pii_ke
              Nov 22 '18 at 6:27






            • 1





              Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

              – pii_ke
              Nov 22 '18 at 6:34













            • Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

              – Eugen Konkov
              Nov 22 '18 at 9:02



















            • yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

              – Eugen Konkov
              Nov 21 '18 at 11:43











            • But this format is differ from IO::Socket::SSL module format.

              – Eugen Konkov
              Nov 21 '18 at 11:43






            • 1





              unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

              – pii_ke
              Nov 22 '18 at 6:27






            • 1





              Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

              – pii_ke
              Nov 22 '18 at 6:34













            • Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

              – Eugen Konkov
              Nov 22 '18 at 9:02

















            yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

            – Eugen Konkov
            Nov 21 '18 at 11:43





            yes, but How to get cert's pubkey and save it locally If I only have access to host:port of service. To trust this self-signed certificate I can pine it by set SSL_fingerprint. But connection, as you can see, is not established: SSL connect attempt failed. today hoster give me pubkey and its finger print: SHA256 Fingerprint=E0:3F:F1:4E:06:18:F7:93:34:6F:91:77:7F:C0:9E:3A:CF:93:F5:BC:12:71:38:30:AC:87:5E:21:7E:CB:7A:58

            – Eugen Konkov
            Nov 21 '18 at 11:43













            But this format is differ from IO::Socket::SSL module format.

            – Eugen Konkov
            Nov 21 '18 at 11:43





            But this format is differ from IO::Socket::SSL module format.

            – Eugen Konkov
            Nov 21 '18 at 11:43




            1




            1





            unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

            – pii_ke
            Nov 22 '18 at 6:27





            unix.stackexchange.com/questions/368123/… might help you in extracting the certificate authority files from the web service. I searched google for "get ca file from website".

            – pii_ke
            Nov 22 '18 at 6:27




            1




            1





            Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

            – pii_ke
            Nov 22 '18 at 6:34







            Otherwise you can try using something like SSL_verify_mode => SSL_VERIFY_NONE, which might make things work. In this mode communication will be encrypted but it will not verify the identity of the server that it is talking with, so impersonation or man-in-the-middle attacks may not be detected.

            – pii_ke
            Nov 22 '18 at 6:34















            Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

            – Eugen Konkov
            Nov 22 '18 at 9:02





            Thanks. I have found the way how to extract cert. As you can see the fingerprint format is not suitable for IO::Socket::SSL module. I convert it manually =(

            – Eugen Konkov
            Nov 22 '18 at 9:02


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53400241%2fhow-to-verify-self-signed-certificate%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            MongoDB - Not Authorized To Execute Command

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
            Read more

            in spring boot 2.1 many test slices are not allowed anymore due to multiple @BootstrapWith

            Image
            1 I tried to upgrade a yummy sandwich made of two test slices (@JsonTest and @JdbcTest in my case, crunchy test code in between) adding spring boot 2.1 flavour to it. But it seems it was not much of a success. I cannot annotate my tests with many @...Test since they are now each bringing their own XxxTestContextBootstrapper. It used to work when they all used same SpringBootTestContextBootstrapper. @RunWith(SpringRunner.class) @JdbcTest @JsonTest public class Test { @Test public void test() { System.out.printn("Hello, World !"); } } The error I get from BootstrapUtils is illegalStateException : Configuration error: found multiple declarations of @BootstrapWith for test class I understand I might be doing something wrong here but is there an easy way I could load both Json and Jdbc contex...
            Read more

            How to fix TextFormField cause rebuild widget in Flutter

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
            Read more