浏览器和openssl中的SHA1指纹不同

时间:2018-01-17 10:01:47

标签: openssl sni

当我用openssl检查网站指纹时

echo "" | openssl s_client -proxy proxy-vip:3128 -showcerts -connect saucelabs.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;/-END CERTIFICATE-/a\\x0' | sed -e '$ d' | xargs -0rl -I% sh -c "echo '%' | openssl x509 -fingerprint -noout -sha1"

我得到以下结果:

  

SHA1指纹= F7:62:50:60:C2:DC:A9:29:96:B5:99:C2:DB:2A:71:BD:EA:57:0B:F9

     

SHA1指纹= 2E:49:16:B0:7F:3D:E9:0C:8D:DE:25:66:FD:9B:9B:40:0D:89:BB:BA

     

SHA1指纹= 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD

但是,如果我在浏览器中检查指纹,结果是:

  

80:27:83:5F:A8:81:6B:97:E2:60:FF:B3:A9:7B:69:E1:F2:38:9A:7A

为什么我会得到不同的结果?

1 个答案:

答案 0 :(得分:1)

简短的回答是,您获得的指纹不同,因为它们实际上是不同的证书:)

更长的答案:

saucelabs.com IP的服务器正在提供从apps.saucelabs.com到openssl s_client实用程序的内容。如果您打印证书的主题CN,则可以看到此信息(请注意在最终的openssl命令中添加-subject)。 

$ echo "" | openssl s_client -showcerts \
                             -connect saucelabs.com:443 2>&1 | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;
             /-END CERTIFICATE-/a\\x0' |\
    sed -e '$ d' | xargs -0rl -I% sh -c "echo '%' | \
    openssl x509 -fingerprint -noout -sha1 -subject"
SHA1 Fingerprint=F7:62:50:60:C2:DC:A9:29:96:B5:99:C2:DB:2A:71:BD:EA:57:0B:F9
subject=CN = app.saucelabs.com
SHA1 Fingerprint=2E:49:16:B0:7F:3D:E9:0C:8D:DE:25:66:FD:9B:9B:40:0D:89:BB:BA
subject=C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2
SHA1 Fingerprint=03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
subject=C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3

如果您将其与浏览器中的信息进行比较,您会注意到您的浏览器正在获取saucelabs.com的证书,而不是您apps.saucelabs.com的{​​{1}}证书。被重定向到。

服务器正在使用SNI来决定将请求发送到哪个服务器。显然,没有sni,saucelabs.com上的服务器提供来自apps.saucelab.com的内容。现在,如果你想查看saucelabs.com的证书,那么继续发送像你的浏览器一样的sni消息(注意-servername命令添加了s_client选项:

$ echo "" | openssl s_client -servername "saucelabs.com" \
                             -showcerts \
                             -connect saucelabs.com:443 2>&1 | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;
             /-END CERTIFICATE-/a\\x0' | sed -e '$ d' | \
    xargs -0rl -I% sh -c "echo '%' | \
    openssl x509 -fingerprint -noout -sha1 -subject"
SHA1 Fingerprint=80:27:83:5F:A8:81:6B:97:E2:60:FF:B3:A9:7B:69:E1:F2:38:9A:7A
subject=CN = saucelabs.com
SHA1 Fingerprint=2E:49:16:B0:7F:3D:E9:0C:8D:DE:25:66:FD:9B:9B:40:0D:89:BB:BA
subject=C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2
SHA1 Fingerprint=03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
subject=C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3

并且您的浏览器会显示80 ... 7A哈希值:)

相关问题
最新问题