TEXT 32
How to verify gmail imap ssl certificate.txt Guest on 22nd May 2020 06:20:38 PM
  1.  
  2. How to manually verify the certificates used by:
  3. pop.gmail.com
  4. imap.gmail.com
  5. smtp.gmail.com
  6.  
  7. If your e-mail program complains.
  8. First of all, here are some fingerprints I've seen recently (mostly here
  9. to make this page findable; you can't trust use them for verification because
  10. my server isn't using HTTPS and you don't trust me :P):
  11.  
  12. for imap.gmail.com:
  13. MD5: 41:BE:CF:CE:07:70:F0:FA:EA:53:C8:FC:CB:92:5C:38
  14. SHA1: DB:7F:2D:F4:8F:9E:94:50:3A:84:97:AE:41:73:12:A3:A5:87:5F:96
  15.  
  16.  
  17. Now, how to check that:
  18.  
  19. openssl s_client -connect imap.gmail.com:993
  20.  
  21. this will spew out a bunch of text, including the certificate. Put the block
  22. from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (including those
  23. lines) in cert.pem.
  24.  
  25. (You'll also note that openssl says "verify error:num=20:unable to get local
  26. issuer certificate" at the top. This is the failure to verify the cert.)
  27.  
  28. Now do this:
  29.  
  30. openssl x509 -in cert.pem -text
  31.  
  32. Now under "Authority Information Access:", you'll have something like:
  33. Authority Information Access:
  34.      CA Issuers - URI:http://pki.google.com/GIAG2.crt
  35.  
  36. That's the URL of the certificate that signed this one. Download it over HTTPS.
  37. This should work, i.e. the certificate of the https server on pki.google.com should
  38. validate, which means you've now got a trusted copy of GIAG2.crt.
  39.  
  40. So, now you have GIAG2.crt, which you trust, and cert.pem, which you're not sure about.
  41.  
  42. One more intermediate step: GIAG2.crt is in a binary format, apparently called DER.
  43. openssl can convert it to PEM:
  44.  
  45. openssl x509 -inform DER -outform PEM -in GIAG2.crt -out GIAG2.pem
  46.  
  47. Now you can verify it:
  48.  
  49. openssl verify -CAfile GIAG2.pem cert.pem
  50.  
  51. ...which hopefully comes back with:
  52. cert.pem: OK
  53.  
  54. But... is this the same certificate that your mail program presented you with?
  55.  
  56. openssl x509 -in cert.pem -fingerprint
  57.  
  58. (or, if you need to check the MD5 fingerprint:
  59. openssl x509 -in cert.pem -fingerprint -md5
  60. )

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.