Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Vanwege onderhoudswerkzaamheden die uw ervaring zouden moeten verbeteren, heeft deze website beperkte functionaliteit. Als een artikel uw probleem niet verhelpt en u een vraag wilt stellen, kan onze ondersteuningsgemeenschap u helpen in @FirefoxSupport op Twitter en /r/firefox op Reddit.

Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

Website fingerprint does not match for DNS Over HTTPS for cloudflare

  • 11 antwoorden
  • 1 heeft dit probleem
  • 17 weergaven
  • Laatste antwoord van Mace2

more options

Each web site has its own signature. When I find the signature of https://one.one.one.one/help (used to very DNS over HTTPS for cloudflare) by using https://www.grc.com/fingerprints.htm it does not match. The signature I get is sha1 by Comodo 5B:20:E3:43:13:69:94:69:68:B4:56:4A:5C:50:32:12:B7:3B:CF:2C

The GRC website gives a fingerprint for one.one.one.one/help as ssl920621.cloudflaressl.com — 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8

Anyone know why the difference?

Each web site has its own signature. When I find the signature of https://one.one.one.one/help (used to very DNS over HTTPS for cloudflare) by using https://www.grc.com/fingerprints.htm it does not match. The signature I get is sha1 by Comodo 5B:20:E3:43:13:69:94:69:68:B4:56:4A:5C:50:32:12:B7:3B:CF:2C The GRC website gives a fingerprint for one.one.one.one/help as ssl920621.cloudflaressl.com — 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8 Anyone know why the difference?

Alle antwoorden (11)

more options

Each SSL certificate has its own signature.

When I check the site's certificate by visiting the page and using:

right-click > View Page Info > Security tab > View Certificate

I get:

Common name: ssl920622.cloudflaressl.com

SHA1 Fingerprint: 5B:20:E3:43:13:69:94:69:68:B4:56:4A:5C:50:32:12:B7:3B:CF:2C

If GRC shows a different Common name, that's a different certificate. Probably some kind of CDN/Load Balancing thing.

Bewerkt door jscher2000 - Support Volunteer op

more options

The certificate fingerprint should alway be the same as it is tied to the certificate and does not matter how many load balanacers. An example is youtube.

My certificate is as enclosed and does not match official fingerprint from GRC.

more options

Mace2 said

My certificate is as enclosed and does not match official fingerprint from GRC.

How did you get that certificate for cloudflare-dns.com?

Neither of us got that certificate yesterday.

more options

While connected directly to my ISP vmedia I simply go to one.one.one.one/help and look at the certificate information.

I now get your SHA1 Fingerprint: 5B:20:E3:43:13:69:94:69:68:B4:56:4A:5C:50:32:12:B7:3B:CF:2C as of Oct-10-2019. I would not expect the fingerprint to change.

however it still doesn't match GRC fingerprint which still remains one.one.one.one ssl920621.cloudflaressl.com — 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8

more options

Compare the certificate common names.

more options

I don't think the common name matters. The below shows both the one.one.one.one certifcate and the GRC site fingerprint. The SHA1 values should match.

more options

Mace2 said

I don't think the common name matters. The below shows both the one.one.one.one certifcate and the GRC site fingerprint. The SHA1 values should match.

They don't match because they are different certificates.

  • One is for ssl920621.cloudflaressl.com
  • One is for ssl920622.cloudflaressl.com
more options

Yes. I know but I only enter one site for verification of the fingerprint.

Is there a method to verify the fingerprint for one.one.one.one ?

more options

Becuase I cannot verify the fingerprint and consider this a possible security issue I will state what I did again.

I am only checking ONE fingerprint. The fingerprint I am checking is for https://one.one.one.one the fingerprint vale for that site is sha1:66:56:84:01:72:B4:FB:BC:D6:D0:A4:A1:03:49:1E:93:00:4D:19:5F

To verify that the site fingerprint is correct I go to the web site by GRC.comhttps://www.grc.com/fingerprints.htm” and it tells me the fingerprint is incorrect the value for sha1 is 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8.

The issue I have is the mismatch with the fingerprint sha1 values

more options

A different fingerprint indicates a different certificate. You and GRC get different certificates for the same host name. What could explain that?

If you think GRC is authoritative, please ask them how it's possible.

more options

When the GRC performs a certificate validation for any site other than Cloudflare the fingeprint value (SHA1 value) always matches. Cloudflare is the only site that I came across that does not validate.

The website https://one.one.one.one/ is both a web site and a D.O.H. address. I am only comparing GRC fingerprint to value sha1 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8 and it does not match the cloudflare certificate value.

I will see if I can pose the question to GRC.