SSL fingerprint does not match, even from localhostssl authn ldap security
Posted 19 August 2019 - 05:40 PM
I decided to be a good admin and actually check the fingerprint.
I connected to my server via SSh and ran the openssl commands to get the fingerprints of "certificate.txt" for md5, sha1, and sha256.
None of them matched what P4V gave me.
Then I copied the contents of "certificate.txt" and pasted it into a few different online SSL decoders/checkers. None of them matched, including using decoders that supported sha224, sha384, and sha512.
Finally, from SSh logged directly into the server, I used the p4 command line client to connect to localhost, and it gave me the same fingerprint that P4V game me on my desktop (which, again, does not match any fingerprint I've gotten by manually decoding with openssl). So, it does not appear to be a MitM attack.
The only thing left that I can think of is that it's using some other algorithm for the hash. What is left that is used by SSL? Are ECDSA or ED25519 used for SSL? Does anyone actually know what is used? Based on the length of the fingerprint it appears to SHA-1.
Otherwise, I seem to have a potential security problem.
Posted 19 August 2019 - 08:48 PM
Posted 20 August 2019 - 02:23 PM
I set up a completely new test server and it does the same thing. I also tested from both Ubuntu and Windows clients, and with P4V 2018.1 and 2019.1. Same results.
So, then I connected to my server not with P4V but with the OpenSSL client itself, and the fingerprint I got that way did match. So, P4V seems to be the problem.
Posted 24 August 2019 - 08:03 PM
On your Perforce server, you can use the command...
...and it'll output the fingerprint you're looking for, which does match what I see being reported by P4V. Still, no idea what hash/digest method is being used.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users