summaryrefslogtreecommitdiffstats
path: root/website/certs.mdwn
blob: bb15262fae07395ca2b73dc96f10e366ab505bbc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Certificates at Fripost

The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all
X.509 certificates Fripost uses on its publicly available services.  Please
consider any mismatch as a man-in-the-middle attack, and let us know
immediately! -- admin@fripost.org

 * IMAP server

    imap.fripost.org:993

        SHA1   8A:81:CF:C3:04:01:BC:C6:58:03:CB:4B:61:F0:C9:0B:09:51:B8:F8
        SHA256 52:BA:FF:9F:7A:6B:7B:50:51:CB:64:BE:46:72:65:8E:D6:FC:3C:CE:5B:6C:9F:9F:E0:58:00:7B:8F:13:6E:D3

 * SMTP servers (STARTTLS)

    smtp.fripost.org:587 (Mail Submission Agent)

        SHA1   03:87:02:C9:6E:01:D3:AD:BC:EC:77:CC:A5:C5:37:C1:D8:C1:29:BC
        SHA256 6C:89:92:3C:A2:53:E0:14:9E:14:11:17:FF:FA:EB:12:3E:BA:0A:B0:C2:BE:70:18:8C:3D:7A:69:EB:00:5E:BB

    mx1.fripost.org:25 (1st Mail eXchange)

        SHA1   A5:9D:30:9A:49:4E:45:02:05:4B:D9:F8:12:8E:EE:F3:A8:CD:5C:4A
        SHA256 85:C9:C3:07:D6:BB:4E:A2:66:DF:DA:3B:B8:A4:D6:B3:71:B0:48:05:DD:A6:87:83:3F:B5:3E:4F:CF:1E:30:5B

    mx2.fripost.org:25 (2nd Mail eXchange)

        SHA1   67:67:D2:A6:0A:E5:8F:83:A9:85:26:01:71:80:24:C6:0B:DA:30:4F
        SHA256 B1:F4:82:E9:6E:B7:B0:0A:4A:FE:BD:92:6C:8D:EE:F6:6E:8C:1B:33:D3:7A:4B:6E:FB:37:D9:21:62:99:C2:73

 * Web servers

    fripost.org:443 (website), mail.fripost.org:443 (webmail), wiki.fripost.org:443 (wiki)

        SHA1   E1:82:59:FD:7F:9A:11:EF:DC:1B:46:3B:AB:9F:F6:BB:A0:E4:D4:59
        SHA256 7D:F2:7C:67:90:91:EB:5E:1E:25:D0:7B:A4:A5:72:9F:EA:20:EC:F0:74:1C:25:66:1D:72:56:A3:3B:53:D9:9A

    lists.fripost.org:443 (list manager)

        SHA1   9B:EA:15:0C:B3:17:EC:CB:E5:38:DA:93:5C:1D:52:98:13:E4:8A:BC
        SHA256 04:86:AF:AB:68:35:D2:48:0C:F3:55:54:98:5D:2A:48:69:D7:C5:B2:CC:1C:F7:6F:F8:54:25:CF:E5:91:88:21

    git.fripost.org:443 (git server), gitweb.fripost.org:443 (gitweb interface)

        SHA1   70:14:8A:A0:29:8E:53:65:8E:23:CF:BA:45:F1:0F:CB:68:81:AC:B6
        SHA256 84:2A:13:7A:B2:20:25:D6:38:8C:EE:8B:BC:A2:60:C5:AC:CD:8A:6B:67:17:B4:78:7F:97:3F:DE:7B:7D:83:B2

 * SSH server

    gitolite@git.fripost.org

        4096 0b:e5:47:44:71:cb:41:7d:1e:1b:25:bc:28:e8:c3:a2 /etc/ssh/ssh_host_rsa_key.pub (RSA)


To get the whole certificate for imap.fripost.org:993, type the following
command in a shell:

    openssl s_client -connect imap.fripost.org:993 </dev/null

(For protocols using the STARTTLS directive such as SMTP, you'll have to call
s_client with '-starttls smtp'.  Another useful option is '-showcerts', which
prints the whole server certificate chain.)

You'll find the X.509 certificate wrapped between

    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----

If you store it (including the delimiters) into /path/to/certificate.pem,
you can then ensure that its fingerprints match the ones above:

    openssl x509 -in /path/to/certificate.pem -noout -fingerprint -sha1
    openssl x509 -in /path/to/certificate.pem -noout -fingerprint -sha256

Alternatively, using a pipe:

    openssl s_client -connect imap.fripost.org:993 </dev/null \
    | openssl x509 -noout -fingerprint -sha256

Also refer to the [[signed version of this page|certs.asc]]