On Sat, Jul 7, 2012 at 4:02 PM,  <pro...@secure-mail.biz> wrote:
> <noloa...@gmail.com> wrote:
>> You pin a certificate by whitelisting expected server certificates
>> (possibly thumbprints).
> How to do that?
My bad. You usually do it pragmatically in an "On Connect" callback or
delegate. I don't have any OpenSSL code handy, but but below is some
.Net/C# code. Cocoa/CocoaTouch and Objective C would do it in
NSURLConnection  and the NSURLConnectionDelegate
and you would do it in Android with HttpsURLConnection and

public static void Main(string[] args)
  ServicePointManager.ServerCertificateValidationCallback = PinCertificate;

  // C1956DC8A7DFB2A5A56934DA09778E3A11023358
  // WebRequest wr = WebRequest.Create("https://www.google.com/";);

  // 8FC079E814777F688BA4C807D9BD67D62AF71AEB
  WebRequest wr = WebRequest.Create("https://encrypted.google.com/";);

public static bool PinCertificate(object sender, X509Certificate certificate,
        X509Chain chain, SslPolicyErrors sslPolicyErrors)
  if (certificate == null)
        return false;

  if (chain == null)
        return false;

  byte[] cb = certificate.GetCertHash();
  StringBuilder sb = new StringBuilder(cb.Length * 2);
  foreach (byte b in cb)
        sb.AppendFormat("{0:X2}", b);

  // Verify against known SHA1 thumb print of the certificate
  String hash = sb.ToString();
  if (hash != "C1956DC8A7DFB2A5A56934DA09778E3A11023358")
        return false;

  return true;

>> There's usually no need to sign another's key
>> or certificate (I've never done it that way, and never seen it done
>> that way).
> A little more background... Stories like the diginotar compromise [1] may 
> happen again, anytime.
Yes, agreed. I have no love or trust for the public CA hierarchy, and
I am still pissed off about what happened to the folks in Iran who
were probably tortured and killed due to Diginotar's failure.

> I am developing an anonymous operating system [2]. We use wget to download 
> Tor Browser from torproject.org and to access check.torproject.org. (Not 
> available over secure apt.) Wget does offer ca pinning, but does not support 
> certificate pinning [3].
Unfortunately, I'm not familiar with wget (other than executing what I'm told).

> So my original question was how do I get wget to verify the torproject.org 
> fingerprint [4] without depending on root CA's? The only possible solution I 
> saw was downloading the torproject.org SSL public key, run a local CA, sign 
> the certificate and run wget with the --ca-certificate switch. That's why I 
> posted the question "Sign public key without having CSR or private key?" here.
> If there are any suggestions for this situation I am all ears.
Perhaps wget needs to be modified so that it allows you to supply
expected thumbrints of a server's certificate.

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to