[guardian-dev] Fwd: verifying XMPP server certs

Nathan of Guardian nathan at guardianproject.info
Mon Aug 11 17:13:33 EDT 2014



On 08/11/2014 04:55 PM, Nathan of Guardian wrote:
> i've been happily using ChatSecure for iOS for some time.  on July
> 7th, it warned
> me that the TLS cert for talk.google.com had changed.  i accepted it and
> ended up with the app telling me i now have a cert saved with SHA1
> 96:d7:17:4a:aa:71:6e:85:3f:57:b0:ce:3c:40:64:55:f4:7b:1f.
> 
> i've been trying to verify the hash from the command line, but haven't been
> able to.  i'm using this one-liner:
> ===
> $ openssl s_client -connect talk.google.com:5223 2>&1 | sed -ne '/-BEGIN
> CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint
> ===
> it currently spits out:
> SHA1 Fingerprint=05:E7:8E:8D:CB:85:04:1F:D2:99:8C:3F:F9:D3:2F:4F:2D:FB:67:39
> 
> does anybody have a recipe for generating an SH1 that matches the
> 96:d7:17:4a:aa:71:6e:85:3f:57:b0:ce:3c:40:64:55:f4:7b:1f one that
> ChatSecure stored or can anybody tell me what i'm dong wrong?

I think you want to try talk.l.google.com possibly, using port 5222. It
is "starttls"

Here is some java code that can help fetch certs:
https://github.com/binaryparadox/JabberPinFetch

You can also run tests here:
https://xmpp.net/result.php?domain=gmail.com&type=client


More information about the Guardian-dev mailing list