While testing with new Proxy/IPS devices from Cisco SourceFire I was wondering if we could make an small program to check thumbprints on SSL certificates. What happens when you proxy SSL connection is that all information keeps hidden (that is the purpose). If you want to inspect that traffic you need to open before you send it forward to the original requester. In this process the SSL certificate will be changed and the thumbprint of the SSL certificate will give an different output.
Retrieve SSL and hash thumbprint
Python can provide good libraries to make this SSL connection and retrieve the SSL certificate. When the SSL is retrieved we can calculate the thumbprint. In this script we will make an connection to our websites and retrieve the SSL. The SSL certificate will be converterd to PEM format and displayed.
import ssl import socket import hashlib addr = 'www.solrac.nl' sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) wrappedSocket = ssl.wrap_socket(sock) try: wrappedSocket.connect((addr, 443)) except: response = False else: der_cert_bin = wrappedSocket.getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True)) print(pem_cert) #Thumbprint thumb_md5 = hashlib.md5(der_cert_bin).hexdigest() thumb_sha1 = hashlib.sha1(der_cert_bin).hexdigest() thumb_sha256 = hashlib.sha256(der_cert_bin).hexdigest() print("MD5: " + thumb_md5) print("SHA1: " + thumb_sha1) print("SHA256: " + thumb_sha256) wrappedSocket.close()
The output of this script will show the SSL PEM output and generate the thumbprint in MD5, SHA1 and SHA254. Here the thumbprints from my SSL certificate on this blog:
MD5: e22e279132e3dcf1850a6dd0dc941aa4 SHA1: 6e2372f4cd3dfa4309a3adc22553f21b982a508f SHA256: 8a27aa4f2a124d7754e5e0fef6f57bdc7285526b8fe6ee924d34df5aa11a682b
What can we do with it?
As I was mentioning earlier in the article we can verify with this thumbprint if we have connection with the original SSL certificate. Before we can do this we need to know the original thumbprint, the best way to find this is to verify this on multiply possible safe internet connections.
The following website can help you further explain this and gives the thumbprint of many popular sites: https://www.grc.com/fingerprints.htm