On Thu, Nov 20, 2014 at 10:07:26AM +0100, Patrik B?t wrote:
> The fingerprint that posttls-finger is returning, what fingerprint is
> this? it doesn?t match the one I'm getting from the certificate using:
>From the manpage for posttls-finger(1):
$ tar zxf postfix-2.11.3.tar.gz
$ cd postfix-2.11.3
$ man -M ./man posttls-finger
...
-d mdalg (default: sha1)
The message digest algorithm to use for reporting
remote SMTP server fingerprints and matching against
user provided certificate fingerprints (with DANE
TLSA records the algorithm is specified in the DNS).
The parenthetical text is slightly misleading, while the digest
used to verify the TLSA RRs is taken from the DNS, the digest
reported is still the one from the "-d" option. So I often
use:
posttls-finger -d sha256 example.com.
> openssl x509 -in cert.pem -noout -pubkey |
> openssl rsa -pubin -outform DER |
> openssl dgst -md5 -c
Note MD5 digests are always 16 octets, SHA-1 digests are 20 octets,
and SHA2-256 digests are 32 octets. So you should be able to
determine the algorithm from the output length.
The above is a public key MD5 digest, for TLSA records you'll want
a SHA2-256 digest.
openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -sha256
--
Viktor.
