Using a command line website downloader, such as wget
, curl
or any other one… In a script…
I have the SHA-1 and the SHA-256 certficate fingerprint of a website. Due to security concerns (1) (2), I don't want to use the public SSL certificate authority system. The fingerprint must be hard coded.
Can a wget like application check the SSL fingerprint?
wget does not have such a functionality. (3)
Using wget --ca-certificate
or curl --cacert
I would have to run my own local certificate authority, which I'd like to prevent, because that adds a lot complexity. It's also ultra difficult and no one did that ever before. (4)
Isn't there any tool, like
download --tlsv1 --serial-number xx:yy:zz --fingerprint xxyyzz https://site.com
?
The solution must of course not be vulnerable to TOCTOU. (5) The MITM could let return a valid fingerprint for the openssl client request and tamper with the following wget request.
Best Answer
Source
Install required software:
Download the public SSL certificate:
Or better:
Get SHA-1 fingerprint:
Get SHA-256 fingerprint:
Manually compare SHA-1 and SHA-256 fingerprints with torproject.org FAQ: SSL.
Optionally render the ca-certificates useless for testing purposes. Using curl here, but wget has a bug Bug and uses the ca-files anyway.
Download with curl and the pinned certificate: