Re: [Savannah-users] Savannah's x.509 certificate fingerprints

savannah-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] Savannah's x.509 certificate fingerprints

From:	Sylvain Beucler
Subject:	Re: [Savannah-users] Savannah's x.509 certificate fingerprints
Date:	Wed, 20 Jun 2007 00:36:19 +0200
User-agent:	Mutt/1.5.13 (2006-08-11)

On Tue, Jun 19, 2007 at 05:43:20AM +0000, Taylor R Campbell wrote:
> I just fetched Savannah's x.509 certificates from
> <http://savannah.gnu.org/tls/> and verified the signed PGP message
> containing the fingerprints.  I first noticed that that there's a
> fingerprint for `cvs.*gnu.org', without any link to a certificate
> above.  Then I checked the fingerprints on all the certificates, and
> found that while the certificate authority matched the fingerprint
> listed in the signed PGP message, the other two didn't.  Here are the
> fingerprints that the signed PGP message claims:
> 
> savannah.gnu.org:
> * SHA1 Fingerprint=59:62:0B:EF:A2:AA:FE:C1:6B:39:CB:A5:90:65:42:F5:81:A2:AE:A9
> * MD5 Fingerprint=93:9C:BC:3C:2D:7C:42:D4:B1:15:B1:B6:B6:ED:EC:A0
> savannah.nongnu.org:
> * SHA1 Fingerprint=B9:8A:FE:4B:B8:B5:27:BF:44:71:7A:28:23:19:38:3A:34:E6:83:E0
> * MD5 Fingerprint=07:EA:E7:86:B0:0F:F0:0F:7F:AC:82:2C:2E:F2:1B:C3
> 
> Here are the actual fingerprints that I obtained with `openssl x509
> -fingerprint -noout -in ...', with and without the `-sha1' option to
> alter between MD5 and SHA1:
> 
> savannah.gnu.org:
> * SHA1 Fingerprint=5C:09:4A:82:12:06:20:89:CF:5F:F2:FC:AE:6A:2C:54:7B:8E:EA:5E
> * MD5 Fingerprint=E2:4A:D7:0D:5F:53:A2:54:3A:CA:8B:01:DD:60:91:A4
> savannah.nongnu.org:
> * SHA1 Fingerprint=CA:06:57:BF:5B:35:94:0E:98:1B:28:81:83:47:BB:07:F4:EC:7B:D1
> * MD5 Fingerprint=52:34:FD:6B:42:19:0A:E3:AD:8D:85:37:FF:ED:1B:72
> 
> I'm not wizardly enough with OpenSSL to make it verify whether a
> certificate was, in fact, signed by an issuer, to check the validity
> of the savannah.gnu.org and savannah.nongnu.org certificates against
> Savannah's certificate authority.  I don't doubt that they were, but
> is there any reason why the fingerprints do not match?

Yes, the page had links to download outdated certificates from last
year (the fingerprints are up-to-date).

I fixed the page and added instructions on how to display/check the
certificates using GnuTLS, and also how to extract the certificate out
of the running server.

-- 
Sylvain

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-users] Savannah's x.509 certificate fingerprints, Taylor R Campbell, 2007/06/19
- Re: [Savannah-users] Savannah's x.509 certificate fingerprints, Sylvain Beucler <=
  - Re: [Savannah-users] Savannah's x.509 certificate fingerprints, Taylor R Campbell, 2007/06/20
    - Re: [Savannah-users] Savannah's x.509 certificate fingerprints, Sylvain Beucler, 2007/06/20
    - Re: [Savannah-users] Savannah's x.509 certificate fingerprints, Taylor R Campbell, 2007/06/20

Prev by Date: [Savannah-users] Savannah's x.509 certificate fingerprints
Next by Date: Re: [Savannah-users] Savannah's x.509 certificate fingerprints
Previous by thread: [Savannah-users] Savannah's x.509 certificate fingerprints
Next by thread: Re: [Savannah-users] Savannah's x.509 certificate fingerprints
Index(es):
- Date
- Thread