3

If I compare the SHA-1 shown for the certificate for https://0000.jp in Chrome:

79 72 28 12 74 83 85 DE 3C B0 DE E7 A4 C3 14 BE B4 93 79 6E

with that presented by OpenSSL:

$ echo -n | openssl s_client -connect 0000.jp:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=79:72:28:12:74:83:85:DE:3C:B0:DE:E7:A4:C3:14:BE:B4:93:79:6E

then I get the same value.

If I do the same for https://google.co.uk then Chrome shows:

06 4B 11 0D 63 4A 83 E2 6B 1A 12 19 EC 04 46 F3 7C 3A 01 D7

while OpenSSL shows:

$ echo -n | openssl s_client -connect google.co.uk:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=3F:6D:D9:AB:60:92:1E:EE:D3:4C:C7:36:04:49:B2:FA:F9:E5:2D:92

There are no warnings in Chrome and I'm assuming the NSA/Russians/North Korea aren't as likely responsible as an error on my part... so what's the reason for the difference?

rich
  • 158
  • 6

1 Answers1

4

They are different certificates. Google, for whatever technical and administrative reasons, uses a lot of different SSL certificates from several different roots.

Most likely your two tests hit two different google servers. They have a lot of servers with various load balancing methods so requests dont always go to the same server.

Trying both methods of viewing the certificate by connecting to the same IP address instead of domain might make them both connect to the same server and show the same hash.

As long as both certificates are valid, don't show any warnings, and come from well known certificate authorities, everything is fine. Nothing to worry about.

Grant
  • 17,859
  • 14
  • 72
  • 103