-
-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I get the Certificate hashes value? #36
Comments
I tried to run the command What I get
The example to compare
|
Hi, You can create a stamp without the hashes first, check that everything works as expected, then use the following command to print the hashes: dnscrypt-proxy -show-certs |
And if you're using Let's Encrypt, that would be the hashes of the Let's Encrypt certificates signing your certificates. |
$
|
If I didn't get you wrong, there could be loads of DoH servers sharing the same certificate hash, as long as they use the certificate signed by Let's Encrypt Authority X3 root certificate to handle the HTTPS traffic. Am I right? Also it is difficult for me to find out what the hashes of the Let's Encrypt certificates are. I think they might lay somewhere in this statement but just fail to spot them. |
Correct. But this will prevent MITM attacks using certificates signed by a different authority, as what recently happened in Kazakhstan. Ah indeed, that feature was introduced after version You can do this, then: env SHOW_CERTS=1 dnscrypt-proxy -loglevel 0 |
Got it, that hash will bring the advantage in DNSCrypt protocol to the DoH protocol! I'd say that's an awesome part in the design of DNS Stamp.
$
|
Maybe you changed |
Negative, I actually keep these flags of logging feature untouched, just as how they are set in the example configuration file. |
I've just built the dnscrypt-proxy from source code. Thus I make the client support -show-certs flag. $
|
$
|
Not having any output is unexpected. Maybe the configuration file has |
You are right, after uncommenting that line and adjusting the log_level to 0, Thank you for your response to my inquiry. I appreciate the information you have provided me with and I appreciate the prompt reply ;-) |
I've just set up a rust-doh server successfully. As I'm filling a table here to get an encoded DNS Stamp, the Certificate hash (SHA256) blank has confused me.
As I can see there are two comma-separated hashes of the certificate have been encoded in Cloudflare's DNS Stamp, I have no idea about how they are generated nor which certificate's fingerprint could match one of them.
The text was updated successfully, but these errors were encountered: