浏览器和openssl中的不同SHA1指纹

浏览器和openssl中的不同SHA1指纹,openssl,sni,Openssl,Sni,当我用openssl检查网站的指纹时 echo "" | openssl s_client -proxy proxy-vip:3128 -showcerts -connect saucelabs.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;/-END CERTIFICATE-/a\\x0' | sed -e '$ d' | xargs -0rl -I% sh -c &quo

当我用openssl检查网站的指纹时

echo "" | openssl s_client -proxy proxy-vip:3128 -showcerts -connect saucelabs.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;/-END CERTIFICATE-/a\\x0' | sed -e '$ d' | xargs -0rl -I% sh -c "echo '%' | openssl x509 -fingerprint -noout -sha1"
我得到以下结果:

SHA1指纹=F7:62:50:60:C2:DC:A9:29:96:B5:99:C2:DB:2A:71:BD:EA:57:0B:F9

SHA1指纹=2E:49:16:B0:7F:3D:E9:0C:8D:DE:25:66:FD:9B:9B:40:0D:89:BB:BA

SHA1指纹=03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD

但是,如果我在浏览器中检查指纹,结果是:

80:27:83:5F:A8:81:6B:97:E2:60:FF:B3:A9:7B:69:E1:F2:38:9A:7A


为什么我会得到不同的结果?

简单的回答是,你会得到不同的指纹,因为它们实际上是不同的证书:)

详细回答:

saucelabs.com
的IP服务器正在将
apps.saucelabs.com
中的内容提供给openssl
s_客户端
实用程序。如果您打印证书的主题CN,您可以看到这一点(注意在最终的openssl命令中添加了
-subject

如果您将其与浏览器中的信息进行比较,您会注意到您的浏览器获得的是
saucelabs.com
的证书,而不是重定向到的
apps.saucelabs.com
的证书

服务器正在使用来决定将请求发送到哪个服务器。显然,在没有sni的情况下,saucelab.com上的服务器提供apps.saucelab.com上的内容。现在,如果您想查看saucelabs.com的证书,请继续并像浏览器一样发送sni消息(注意在
s_client
命令中添加了
-servername
选项):

还有你的浏览器显示的80…7A哈希:)

$ echo "" | openssl s_client -showcerts \
                             -connect saucelabs.com:443 2>&1 | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;
             /-END CERTIFICATE-/a\\x0' |\
    sed -e '$ d' | xargs -0rl -I% sh -c "echo '%' | \
    openssl x509 -fingerprint -noout -sha1 -subject"
SHA1 Fingerprint=F7:62:50:60:C2:DC:A9:29:96:B5:99:C2:DB:2A:71:BD:EA:57:0B:F9
subject=CN = app.saucelabs.com
SHA1 Fingerprint=2E:49:16:B0:7F:3D:E9:0C:8D:DE:25:66:FD:9B:9B:40:0D:89:BB:BA
subject=C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2
SHA1 Fingerprint=03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
subject=C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3
$ echo "" | openssl s_client -servername "saucelabs.com" \
                             -showcerts \
                             -connect saucelabs.com:443 2>&1 | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;
             /-END CERTIFICATE-/a\\x0' | sed -e '$ d' | \
    xargs -0rl -I% sh -c "echo '%' | \
    openssl x509 -fingerprint -noout -sha1 -subject"
SHA1 Fingerprint=80:27:83:5F:A8:81:6B:97:E2:60:FF:B3:A9:7B:69:E1:F2:38:9A:7A
subject=CN = saucelabs.com
SHA1 Fingerprint=2E:49:16:B0:7F:3D:E9:0C:8D:DE:25:66:FD:9B:9B:40:0D:89:BB:BA
subject=C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2
SHA1 Fingerprint=03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
subject=C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3