[GTALUG] SSL Server Certificate

William Park opengeometry at yahoo.ca
Mon Jul 16 23:38:38 EDT 2018 

Off-tangent... Can someone do a talk on "SSL/TLS Certificate" for users,
sysadmin, and application programmers level?  Like,
    - how to create certificate
    - what fields to populate when create certificate.  It seems to
      be sensitive to expiry date, certain fields, etc.
    - how to install them, at server side and at client side.

I understand SSH private/public keys.  But, for the life of me, I don't
understand SSL/TLS or OpenSSL package.
-- 
William Park <opengeometry at yahoo.ca>

On Mon, Jul 16, 2018 at 09:16:48PM -0400, Peter King via talk wrote:
> I'm puzzled about how to set up server certificate validation in getting
> my email, which isn't surprising given that I understand next to nothing
> about the way certificates work.
> 
> Here's the particular issue.  I want to check over ssl/tls to see that the
> server certificate is valid, and that it matches a fingerprint I have for
> it.  So, I know just enough to get the certificate from the server, in this
> case from Google:
> 
>   $ openssl s_client -connect pop.gmail.com:995 -showcerts > ~/gmail.openssl.txt
> 
> By inspection I can see that the certificate is provided by GlobalSign.  So
> I do a quick check:
> 
>   $ ls -l /etc/ssl/certs/GlobalSign*
> 
> Lo and behold, there is an obvious hit: GlobalSign_Root_CA.pem.  So I put
> that down as the certificate for the server.
> 
> Then, I can get the fingerprint for it from the same file, like so:
> 
>    $ openssl x509 -fingerprint -sha256 -noout -in ~/gmail.openssl.txt > gmail.fingerprint.txt
> 
> (Getmail uses sha256 as its preferred algorithm.)  I take the fingerprint
> from the file and use that to certify the server.
> 
> 
> Thing is, the technique doesn't work.  First I get an unhelpful error
> message saying that the certificate, GlobalSign_Root_CA.pem, gives an
> authentication error.  Well, okay.  If I take that out of the equation
> I then get told that the fingerprint is wrong, but this time at least
> I'm told what the correct fingerprint is -- and if I put the correct one
> in all seems well.
> 
> The example above is about gmail, but I have the same problem with rogers
> and other servers.  Oddly, the Office365 servers work exactly as they
> should.
> 
> Two questions, which most of you undoubtedly know the answer to:
> 
> [1] If the email gets fetched with the fingerprint, is there any need for
>     validating the server certificate?
> 
> [2] How can I find out what the correct server certificate is?
> 
> 
> -- 
> Peter King			 	peter.king at utoronto.ca
> Department of Philosophy
> 170 St. George Street #521
> The University of Toronto		   (416)-978-3311 dept
> Toronto, ON  M5R 2M8
>        CANADA
> 
> http://individual.utoronto.ca/pking/
> 
> =========================================================================
> GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC  36F5 1FE6 D32A 7587 EC42)
> gpg --keyserver pgp.mit.edu --recv-keys 7587EC42



> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk

More information about the talk mailing list