Does TOFU actually work?

[Emilis]

On 11/28/20 5:14 PM, Ben Burwell wrote:
> Those logs do look a little funky, but luckily we don't need to rely on
> IP addresses to check your hypothesis: all you need to do is match the
> fingerprint/hash of the cert being presented by Lagrange with the hash
> of the cert generated on your server. If they don't match, then you have
> definitively been MITM'd.

I can't match the server certificate to it's browser fingerprint.

I am not sure I am using the correct methods.

My Lagrange `.config/lagrange/trusted.txt` has this line:

```
naujenai.lt 1638096010 
95c34bf23ad26f64627138875ce2b251048fcfea9be905a7c9915325fb0e3546

```

I attached my `naujenai.lt.crt` which was generated by gmnisrv.


I ran these commands on the certificate file:

```
$ openssl x509 -in naujenai.lt.crt -noout -fingerprint -sha256
SHA256 
Fingerprint=83:D8:96:B8:83:2B:D7:04:A2:E1:36:78:15:4B:1D:4F:30:A1:13:22:79:57:AD:68:A8:70:2B:49:9F:1D:D0:65
```

```
$ openssl x509 -in naujenai.lt.crt -outform DER -out naujenai.lt.der
$ sha256sum naujenai.lt.der
83d896b8832bd704a2e13678154b1d4f30a113227957ad68a8702b499f1dd065 
naujenai.lt.der
```

Lagrange seems to be using sha256 fingerprints, but I am not a C 
developer so I can't be sure:
https://git.skyjake.fi/skyjake/the_Foundation/src/branch/master/src/tlsrequest.c#L310

--
Emilis Dambauskas
gemini://tilde.team/~emilis/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: naujenai.lt.crt
Type: application/pkix-cert
Size: 574 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20201128/c0186d84/attachment.cer>