One.one.one.one fingerprint mismatch

When I go to the one.one.one.one/help site and verify the sites fingerprint using GRC https://www.grc.com/fingerprints.htm I get a sha1 signature that doesn’t match.

The fingerprint sections should match in this case sha1. this was performed from my home network through my ISP Vmedia so i cannot understand why the fingerprint mismatch.

Note how the certificates’ CNs are different. You are having two different certificates here.

This is most likely not because the server offers a different certificate to you than to that website, but rather because you hit a completely different data centre than that website. Remember, on Cloudflare’s network an IP address does not point to one single machine, but an entire array of them.

I understand that the ip doesn’t point to the same machine hence why its a CDN. However the certificate is verified by the sha1fingerpint hash and I should always be able to verify a site. How would I find the site that I go to when i type one.one.one.one? What is the sha1 fingerprint for that site as I can never get a match.

I am not sure about your question.

What does the DNS server have to do with “the site” you are visiting? You get two different fingerprints here because you are checking two different certificates.

What is it you are trying to achieve?

I am only checking ONE fingerprint. The fingerprint I am checking is for https://one.one.one.one the fingerprint vale for that site is sha1:66:56:84:01:72:B4:FB:BC:D6:D0:A4:A1:03:49:1E:93:00:4D:19:5F

To verify that the site fingerprint is correct I go to the web site by GRC.comhttps://www.grc.com/fingerprints.htm” and it tells me the fingerprint is incorrect the value for sha1 is 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8.

The issue I have is the mismatch with the fingerprint sha1 values

Please re-read what I wrote five days ago. I addressed that precise issue.

No that’s not the issue.

As @sandro mentioned your screenshots show 2 different SSL certificates. The CN for each cert is different. There are multiple reasons we may present different certificates to different clients, but the fingerprint from certificate A will not match the fingerprint of certificate B.

No idea how the tool you’re using works, but it isn’t comparing the same certificate as you see in your browser, so the certificate mismatch is expected. If you read the text under the fingerprint it explicitly calls out to check the certificate name is identical… they are not.

There are not two different certificates. The first shows cloudflares general infomration then the “view certificate” button is pressed to reveal the other window titled “certificate viewer ssl…”

Also when downloading a large file and only through cloudflare the download will be interupted. When I click on “retry download” in firefox it fails. this is becuase the network to the file is no longer available.

Of course there are. I already wrote more than a week ago that you should check the common names.

Again, re-read carefully what I wrote last week and you will realise why you have different fingerprints.

You have different certificates, from different machines, from different data centres. The only thing these certificates have in common is a partial overlap in SANs.

I suggest reading the documentation on GRC for HTTPS fingerprinting again PROPERLY. Its has been clearly stated the limitation of the tool by the original author in the snippet in the top section of the page:

Google and Apple are different: Some visitors are being confused by
Google’s and Apple’s certificate fingerprints which change and may not
match. Please see the “What can go wrong with this test?” section at
the bottom of this page for an explanation of the complexities.

And in the “What can go wrong with this test?” section on the page, he explains in detail the cases for "False-Positive Mismatches’

I have read that section. Perhaps you can explain in this case what went wrong? Why does the SHA fingerprint not match?

I

Ehm, that has been only explained five times so far. I am really not sure what is still unclear.

For the third time, go back to the very beginning of this very thread and re-read the responses you have got.

Nothing went wrong. You simply do not understand what a certificate fingerprint is. A cert’s fingerprint is a hash / digest / or (to over simply things) a short string of text that uniquely represents the contents of the certificate. There are other things in a certificate other than the cert’s common name/domain name/SAN; one very important information that a certificate contains is the public key. No two certs generated has the same public key pair. Hence no two cert will ever have the exactly same content, and when the contents of the cert are put into a cryptographic hash/digest function to generate the fingerprint; they will produce a different result.

Fingerprint mismatch = not the same cert.

Anyone who has tried generating their own cert will know, even if you generate both certs for the same domain, everytime you generate a new cert their fingerprints will be different, as a different public/private key pair is generated.

Please read up on public key cryptography and cryptographic hash function for further understanding on the subject matter. GRC’s author Steve Gibson has done an excellent audio podcast on those topics: Security now #34 and #35

1 Like

:wave: @user578,

Sorry to hear you are having difficulties with this issue. If you check the SNI certificate name from your screenshots vs the screenshot of your testing tool you will see the sni****** values are different in the certificate name are different. As multiple respondents have pointed out the fingerprints of different certificates are different.

– OG

The purpose of the GRC fingerprint is to provide validation that the site I am connected to is valid. There should be only one value that matches the fingerprint. I understand in some cases sites with multiple certificate may not validate.

however the site https://one.one.one.one is both a web site and a D.O.H. site. Since it is a web site I expected the GRC SHA1 value to match. This site is the only web site I have not been able to validate. Can Cloudflare site be SHA1 fingerprint validated ?

I am aware they do not match and they are different. I exepcted it to match but on my home ISP network Vmeda.ca It does not match.

:wave: @user578,

…may not validate using that tool.

I am not sure what the distinction is that you are attempting to make.

If the tool was retrieving the same certificate as your browser, they would. However it is not. So they don’t.

Your web browser is already doing that in the screenshot you provided. https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified

You can do the same thing using a command line tool such as openssl if you with https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/

– OG

I was using GRC web site validation of HTTPS sites. When I enter the https site https://one.one.one.one into “https://www.grc.com/fingerprints.htm” I get a SHA1 signature of 01:31:4A:78:20:82:00:D4:40:AC:55:B9:41:92:08:76:81:A4:0C:B8. this does not match the actual signature I receive on my Firefox browser of 5B:20:E3:43:13:69:94:69:68:B4:56:4A:5C:50:32:12:B7:3B:CF:2C.

Why does the https://one.one.one.one web site not match the https authentication value provided by GRC?

The various Cloudflare nodes are known to serve different certificates.

I opened a forum issue named “One.one.one.one fingerprint mismatch” and it was closed after 4 days in which I could not provide a reply.

I thought forum items remained open for 30 days?

Hi @user578,

It was closed because the thread was going round and round in circles. The same answer was provided by multiple users, but the thread kept going.

Not all threads remain open for 30 days, it depends on the category and whether the issue has been resolved.

I will re-open it now, but please be aware that it may be closed again if the thread keeps repeating itself.