How can I get the Certificate hashes value?

[IceCodeNew]

I've just set up a rust-doh server successfully. As I'm filling a table here to get an encoded DNS Stamp, the Certificate hash (SHA256) blank has confused me.

As I can see there are two comma-separated hashes of the certificate have been encoded in Cloudflare's DNS Stamp, I have no idea about how they are generated nor which certificate's fingerprint could match one of them.

[IceCodeNew]

I tried to run the command $ openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem . Here the output is as long as either part of the certificate hashes of Cloudflare's DNS Stamp.
But I'm not sure if I'm on the right path ;-P

What I get

SHA256 Fingerprint=89:45:15:CF:52:7B:8C:6E:4D:B7:79:DB:12:78:B6:35:84:0C:07:CC:08:59:4E:BE:CA:B2:77:6C:3C:B5:1D:31

The example to compare

10d93c9864a521f3065cc3a522509c2afabb01581cad9c6d8e89fdd75f9ea747,eb7525f88f0d9458f81a995019bfd34cb89ccdc957e7b0ef315f10f897638118

[jedisct1]

Hi,

You can create a stamp without the hashes first, check that everything works as expected, then use the following command to print the hashes:

dnscrypt-proxy -show-certs 

[jedisct1]

And if you're using Let's Encrypt, that would be the hashes of the Let's Encrypt certificates signing your certificates.

[IceCodeNew]

Hi,

You can create a stamp without the hashes first, check that everything works as expected, then use the following command to print the hashes:

dnscrypt-proxy -show-certs 

$ ./dnscrypt-proxy -show-certs

flag provided but not defined: -show-certs
Usage of ./dnscrypt-proxy:
  -check
        check the configuration file and exit
  -child
        Invokes program as a child process
  -config string
        Path to the configuration file (default "dnscrypt-proxy.toml")
  -json
        output list as JSON
  -list
        print the list of available resolvers for the enabled filters
  -list-all
        print the complete list of available resolvers, ignoring filters
  -logfile string
        Write logs to file
  -loglevel value
        Log level (0-6) (default 2)
  -netprobe-timeout int
        Override the netprobe timeout (default 60)
  -pidfile string
        If specified, write pid to file.
  -resolve string
        resolve a name using system libraries
  -service string
        Control the system service: ["start" "stop" "restart" "install" "uninstall"]
  -syslog
        Send logs to the local system logger (Eventlog on Windows, syslog on Unix)
  -version
        print current proxy version

$ ./dnscrypt-proxy -version

2.0.25

$ uname -a

Linux ubuntu-s-1vcpu-1gb-sgp1-01 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

---

Thanks for reply so soon.
Here I got a FLAG NOT DEFINED error, any idea?

[IceCodeNew]

And if you're using Let's Encrypt, that would be the hashes of the Let's Encrypt certificates signing your certificates.

If I didn't get you wrong, there could be loads of DoH servers sharing the same certificate hash, as long as they use the certificate signed by Let's Encrypt Authority X3 root certificate to handle the HTTPS traffic. Am I right?

Also it is difficult for me to find out what the hashes of the Let's Encrypt certificates are. I think they might lay somewhere in this statement but just fail to spot them.

[jedisct1]

Correct. But this will prevent MITM attacks using certificates signed by a different authority, as what recently happened in Kazakhstan.

Ah indeed, that feature was introduced after version 2.0.25 was release.

You can do this, then:

env SHOW_CERTS=1 dnscrypt-proxy -loglevel 0

[IceCodeNew]

Correct. But this will prevent MITM attacks using certificates signed by a different authority, as what recently happened in Kazakhstan.

Got it, that hash will bring the advantage in DNSCrypt protocol to the DoH protocol! I'd say that's an awesome part in the design of DNS Stamp.

---

Ah indeed, that feature was introduced after version 2.0.25 was release.

You can do this, then:

env SHOW_CERTS=1 dnscrypt-proxy -loglevel 0

$ env SHOW_CERTS=1 /etc/dnscrypt-proxy/dnscrypt-proxy -loglevel 0

[2019-08-15 18:54:59] [FATAL] listen udp 127.0.0.1:53: bind: address already in use

$ ./dnscrypt-proxy -service stop

[2019-08-15 18:55:17] [NOTICE] dnscrypt-proxy 2.0.25
[2019-08-15 18:55:17] [NOTICE] Service stopped

$ env SHOW_CERTS=1 /etc/dnscrypt-proxy/dnscrypt-proxy -loglevel 0

(there just nothing)

---

Have I done something wrong?

[jedisct1]

Maybe you changed log_file = ... or use_syslog = in the configuration file and the logs are being written elsewhere?

[IceCodeNew]

Negative, I actually keep these flags of logging feature untouched, just as how they are set in the example configuration file.

[IceCodeNew]

I've just built the dnscrypt-proxy from source code. Thus I make the client support -show-certs flag.
But to my surprise, the command ./dnscrypt-proxy -show-certs doesn't turn out any results.

$ ./dnscrypt-proxy -show-certs

(just nothing to show)

$ ./dnscrypt-proxy -list

mydomain.tld
quad9-dnscrypt-ip4-filter-pri
cloudflare

$ tail dnscrypt-proxy.toml

## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.

[static]

  # [static.'google']
  # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
  [static.'mydomain.tld']
  stamp = 'sdns://AgcAAAAAAAAAD*************************************************F1ZXJ5'

[IceCodeNew]

$ ./dnscrypt-proxy -show-certs

[2019-08-15 20:36:51] [NOTICE] Source [public-resolvers.md] loaded
[2019-08-15 20:36:51] [NOTICE] dnscrypt-proxy 2.0.25
[2019-08-15 20:36:52] [NOTICE] Advertised cert: [CN=mydomain.tld] [5e66********************************************************53f1]
[2019-08-15 20:36:52] [NOTICE] Advertised cert: [CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US] [3e1a********************************************************b838]
[2019-08-15 20:36:52] [NOTICE] [mydomain.tld] OK (DoH) - rtt: 39ms
[2019-08-15 20:36:52] [NOTICE] Server with the lowest initial latency: mydomain.tld (rtt: 39ms)

The proper hash value cannot be found on any of the site I had mentioned below. If you are facing the same question I raised here, ./dnscrypt-proxy -show-certs would be the best way to solve it.

While generating the new DNS stamp, fill 5e66********************************************************53f1,3e1a********************************************************b838 into the blank.

---

Got an idea. Just check your domain on the SSL Labs site, and the result page will show the hash of the intermediate certificate (In this case it's Let's Encrypt Authority X3).
> Subject Let's Encrypt Authority X3
> Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d

Also, you can check it at here. Which give you more detail about the certificate so that you are less likely to get confused about which certificate's info you really need.

[jedisct1]

Not having any output is unexpected.

Maybe the configuration file has log_level raised? By default, it's set to 2.

[IceCodeNew]

Not having any output is unexpected.

Maybe the configuration file has log_level raised? By default, it's set to 2.

You are right, after uncommenting that line and adjusting the log_level to 0, $ ./dnscrypt-proxy -show-certs will show the detail about Advertised cert. And that's exactly what I need.

Thank you for your response to my inquiry. I appreciate the information you have provided me with and I appreciate the prompt reply ;-)