Sorry, I found another certificate on my VPS which matches the fingerprint used by Lagrange browser. So I think I can confirm, that I was NOT MITM-ed and it must be the bug in gmnisrv. I had two sets of certificates, because I ran gmnisrv with a changed configuration. I had attached the other, matching certificate for the curious. ``` $ openssl x509 -noout -fingerprint -sha256 -in naujenai-2.lt.crt SHA256 Fingerprint=95:C3:4B:F2:3A:D2:6F:64:62:71:38:87:5C:E2:B2:51:04:8F:CF:EA:9B: E9:05:A7:C9:91:53:25:FB:0E:35:46 ``` On 11/28/20 6:39 PM, Emilis wrote: > On 11/28/20 5:14 PM, Ben Burwell wrote: >> Those logs do look a little funky, but luckily we don't need to rely on >> IP addresses to check your hypothesis: all you need to do is match the >> fingerprint/hash of the cert being presented by Lagrange with the hash >> of the cert generated on your server. If they don't match, then you have >> definitively been MITM'd. > > I can't match the server certificate to it's browser fingerprint. > > I am not sure I am using the correct methods. > > My Lagrange `.config/lagrange/trusted.txt` has this line: > > ``` > naujenai.lt 1638096010 > 95c34bf23ad26f64627138875ce2b251048fcfea9be905a7c9915325fb0e3546 > > ``` > > I attached my `naujenai.lt.crt` which was generated by gmnisrv. > > > I ran these commands on the certificate file: > > ``` > $ openssl x509 -in naujenai.lt.crt -noout -fingerprint -sha256 > SHA256 > Fingerprint=83:D8:96:B8:83:2B:D7:04:A2:E1:36:78:15:4B:1D:4F:30:A1:13:22:7 9:57:AD:68:A8:70:2B:49:9F:1D:D0:65 > ``` > > ``` > $ openssl x509 -in naujenai.lt.crt -outform DER -out naujenai.lt.der > $ sha256sum naujenai.lt.der > 83d896b8832bd704a2e13678154b1d4f30a113227957ad68a8702b499f1dd065 > naujenai.lt.der > ``` > > Lagrange seems to be using sha256 fingerprints, but I am not a C > developer so I can't be sure: > https://git.skyjake.fi/skyjake/the_Foundation/src/branch/master/src/tlsrequest.c#L310 > > > -- > Emilis Dambauskas > gemini://tilde.team/~emilis/ > -------------- next part -------------- A non-text attachment was scrubbed... Name: naujenai-2.lt.crt Type: application/pkix-cert Size: 574 bytes Desc: not available URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20201128/20eb 072c/attachment.cer>
---
Previous in thread (4 of 10): 🗣️ Emilis (emilis (a) emilis.net)