[GTALUG] SSL Server Certificate
William Park
opengeometry at yahoo.ca
Mon Jul 16 23:38:38 EDT 2018
Off-tangent... Can someone do a talk on "SSL/TLS Certificate" for users,
sysadmin, and application programmers level? Like,
- how to create certificate
- what fields to populate when create certificate. It seems to
be sensitive to expiry date, certain fields, etc.
- how to install them, at server side and at client side.
I understand SSH private/public keys. But, for the life of me, I don't
understand SSL/TLS or OpenSSL package.
--
William Park <opengeometry at yahoo.ca>
On Mon, Jul 16, 2018 at 09:16:48PM -0400, Peter King via talk wrote:
> I'm puzzled about how to set up server certificate validation in getting
> my email, which isn't surprising given that I understand next to nothing
> about the way certificates work.
>
> Here's the particular issue. I want to check over ssl/tls to see that the
> server certificate is valid, and that it matches a fingerprint I have for
> it. So, I know just enough to get the certificate from the server, in this
> case from Google:
>
> $ openssl s_client -connect pop.gmail.com:995 -showcerts > ~/gmail.openssl.txt
>
> By inspection I can see that the certificate is provided by GlobalSign. So
> I do a quick check:
>
> $ ls -l /etc/ssl/certs/GlobalSign*
>
> Lo and behold, there is an obvious hit: GlobalSign_Root_CA.pem. So I put
> that down as the certificate for the server.
>
> Then, I can get the fingerprint for it from the same file, like so:
>
> $ openssl x509 -fingerprint -sha256 -noout -in ~/gmail.openssl.txt > gmail.fingerprint.txt
>
> (Getmail uses sha256 as its preferred algorithm.) I take the fingerprint
> from the file and use that to certify the server.
>
>
> Thing is, the technique doesn't work. First I get an unhelpful error
> message saying that the certificate, GlobalSign_Root_CA.pem, gives an
> authentication error. Well, okay. If I take that out of the equation
> I then get told that the fingerprint is wrong, but this time at least
> I'm told what the correct fingerprint is -- and if I put the correct one
> in all seems well.
>
> The example above is about gmail, but I have the same problem with rogers
> and other servers. Oddly, the Office365 servers work exactly as they
> should.
>
> Two questions, which most of you undoubtedly know the answer to:
>
> [1] If the email gets fetched with the fingerprint, is there any need for
> validating the server certificate?
>
> [2] How can I find out what the correct server certificate is?
>
>
> --
> Peter King peter.king at utoronto.ca
> Department of Philosophy
> 170 St. George Street #521
> The University of Toronto (416)-978-3311 dept
> Toronto, ON M5R 2M8
> CANADA
>
> http://individual.utoronto.ca/pking/
>
> =========================================================================
> GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42)
> gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
More information about the talk
mailing list