Created
July 27, 2019 16:07
-
-
Save clarencetw/d9b720be6bd93c2167492252d3f4c910 to your computer and use it in GitHub Desktop.
certificate-pinning-analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ curl -i https://api.github.com/users/octocat/orgs | |
| HTTP/1.1 200 OK | |
| Server: GitHub.com | |
| Date: Thu, 08 Nov 2018 06:49:41 GMT | |
| Content-Type: application/json; charset=utf-8 | |
| Content-Length: 5 | |
| Status: 200 OK | |
| X-RateLimit-Limit: 60 | |
| X-RateLimit-Remaining: 46 | |
| X-RateLimit-Reset: 1541661588 | |
| Cache-Control: public, max-age=60, s-maxage=60 | |
| Vary: Accept | |
| ETag: "98f0c1b396a4e5d54f4d5fe561d54b44" | |
| X-GitHub-Media-Type: github.v3; format=json | |
| Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type | |
| Access-Control-Allow-Origin: * | |
| Strict-Transport-Security: max-age=31536000; includeSubdomains; preload | |
| X-Frame-Options: deny | |
| X-Content-Type-Options: nosniff | |
| X-XSS-Protection: 1; mode=block | |
| Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin | |
| Content-Security-Policy: default-src 'none' | |
| X-GitHub-Request-Id: D9F0:3598:2E537A:7CFD03:5BE3DC85 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ openssl s_client -connect api.github.com:443 2>&1 < /dev/null \ | |
| | sed -n '/-----BEGIN/,/-----END/p' \ | |
| | openssl x509 -noout -pubkey \ | |
| | openssl pkey -pubin -outform der \ | |
| | openssl dgst -sha256 -binary \ | |
| | openssl enc -base64 | |
| y2HhTRXXLdmAF1esYBb/muQUl3BIBdmEB8jUvMrGc28= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ curl -I -x 127.0.0.1:8080 https://api.github.com/users/octocat/orgs | |
| HTTP/1.0 200 Connection established | |
| curl: (60) SSL certificate problem: self signed certificate in certificate chain | |
| More details here: https://curl.haxx.se/docs/sslcerts.html | |
| curl performs SSL certificate verification by default, using a "bundle" | |
| of Certificate Authority (CA) public keys (CA certs). If the default | |
| bundle file isn't adequate, you can specify an alternate file | |
| using the --cacert option. | |
| If this HTTPS server uses a certificate signed by a CA represented in | |
| the bundle, the certificate verification probably failed due to a | |
| problem with the certificate (it might be expired, or the name might | |
| not match the domain name in the URL). | |
| If you'd like to turn off curl's verification of the certificate, use | |
| the -k (or --insecure) option. | |
| HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ curl -k -I -x 127.0.0.1:8080 https://api.github.com/users/octocat/orgs | |
| HTTP/1.0 200 Connection established | |
| HTTP/1.1 200 OK | |
| Server: GitHub.com | |
| Date: Thu, 08 Nov 2018 08:26:53 GMT | |
| Content-Type: application/json; charset=utf-8 | |
| Content-Length: 5 | |
| Connection: close | |
| Status: 200 OK | |
| X-RateLimit-Limit: 60 | |
| X-RateLimit-Remaining: 57 | |
| X-RateLimit-Reset: 1541669152 | |
| Cache-Control: public, max-age=60, s-maxage=60 | |
| Vary: Accept | |
| ETag: "98f0c1b396a4e5d54f4d5fe561d54b44" | |
| X-GitHub-Media-Type: github.v3; format=json | |
| Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type | |
| Access-Control-Allow-Origin: * | |
| Strict-Transport-Security: max-age=31536000; includeSubdomains; preload | |
| X-Frame-Options: deny | |
| X-Content-Type-Options: nosniff | |
| X-XSS-Protection: 1; mode=block | |
| Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin | |
| Content-Security-Policy: default-src 'none' | |
| X-GitHub-Request-Id: F462:359B:CF82D0:1C05BD1:5BE3F34D |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ curl -I --pinnedpubkey "sha256//y2HhTRXXLdmAF1esYBb/muQUl3BIBdmEB8jUvMrGc28=" https://api.github.com/users/octocat/orgs | |
| HTTP/1.1 200 OK | |
| Server: GitHub.com | |
| Date: Thu, 08 Nov 2018 08:29:04 GMT | |
| Content-Type: application/json; charset=utf-8 | |
| Content-Length: 5 | |
| Status: 200 OK | |
| X-RateLimit-Limit: 60 | |
| X-RateLimit-Remaining: 56 | |
| X-RateLimit-Reset: 1541669152 | |
| Cache-Control: public, max-age=60, s-maxage=60 | |
| Vary: Accept | |
| ETag: "98f0c1b396a4e5d54f4d5fe561d54b44" | |
| X-GitHub-Media-Type: github.v3; format=json | |
| Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type | |
| Access-Control-Allow-Origin: * | |
| Strict-Transport-Security: max-age=31536000; includeSubdomains; preload | |
| X-Frame-Options: deny | |
| X-Content-Type-Options: nosniff | |
| X-XSS-Protection: 1; mode=block | |
| Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin | |
| Content-Security-Policy: default-src 'none' | |
| X-GitHub-Request-Id: F4FA:359B:CF9C3B:1C08FF0:5BE3F3D0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ curl -I -x 127.0.0.1:8080 --pinnedpubkey "sha256//y2HhTRXXLdmAF1esYBb/muQUl3BIBdmEB8jUvMrGc28=" https://api.github.com/users/octocat/orgs | |
| HTTP/1.0 200 Connection established | |
| curl: (60) SSL certificate problem: self signed certificate in certificate chain | |
| More details here: https://curl.haxx.se/docs/sslcerts.html | |
| curl performs SSL certificate verification by default, using a "bundle" | |
| of Certificate Authority (CA) public keys (CA certs). If the default | |
| bundle file isn't adequate, you can specify an alternate file | |
| using the --cacert option. | |
| If this HTTPS server uses a certificate signed by a CA represented in | |
| the bundle, the certificate verification probably failed due to a | |
| problem with the certificate (it might be expired, or the name might | |
| not match the domain name in the URL). | |
| If you'd like to turn off curl's verification of the certificate, use | |
| the -k (or --insecure) option. | |
| HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| clarence:~$ curl -k -I -x 127.0.0.1:8080 --pinnedpubkey "sha256//y2HhTRXXLdmAF1esYBb/muQUl3BIBdmEB8jUvMrGc28=" https://api.github.com/users/octocat/orgs | |
| HTTP/1.0 200 Connection established | |
| curl: (90) SSL: public key does not match pinned public key! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment