diff --git a/src/infra/net/ssrf.test.ts b/src/infra/net/ssrf.test.ts
index 637bd5c2e9e..b939cbd8ba8 100644
--- a/src/infra/net/ssrf.test.ts
+++ b/src/infra/net/ssrf.test.ts
@@ -1,6 +1,5 @@
 import { describe, expect, it } from "vitest";
 import { blockedIpv6MulticastLiterals } from "../../shared/net/ip-test-fixtures.js";
-import { normalizeFingerprint } from "../tls/fingerprint.js";
 import { isBlockedHostnameOrIp, isPrivateIpAddress } from "./ssrf.js";
 
 const privateIpCases = [
@@ -102,14 +101,6 @@ describe("ssrf ip classification", () => {
   });
 });
 
-describe("normalizeFingerprint", () => {
-  it("strips sha256 prefixes and separators", () => {
-    expect(normalizeFingerprint("sha256:AA:BB:cc")).toBe("aabbcc");
-    expect(normalizeFingerprint("SHA-256 11-22-33")).toBe("112233");
-    expect(normalizeFingerprint("aa:bb:cc")).toBe("aabbcc");
-  });
-});
-
 describe("isBlockedHostnameOrIp", () => {
   it.each([
     "localhost.localdomain",
diff --git a/src/infra/tls/fingerprint.test.ts b/src/infra/tls/fingerprint.test.ts
new file mode 100644
index 00000000000..658eaecd78e
--- /dev/null
+++ b/src/infra/tls/fingerprint.test.ts
@@ -0,0 +1,20 @@
+import { describe, expect, it } from "vitest";
+import { normalizeFingerprint } from "./fingerprint.js";
+
+describe("normalizeFingerprint", () => {
+  it("strips sha256 prefixes and common separators", () => {
+    expect(normalizeFingerprint("sha256:AA:BB:cc")).toBe("aabbcc");
+    expect(normalizeFingerprint("SHA-256 11-22-33")).toBe("112233");
+    expect(normalizeFingerprint("aa:bb:cc")).toBe("aabbcc");
+  });
+
+  it("handles blank, non-hex, and mixed punctuation input", () => {
+    expect(normalizeFingerprint("   ")).toBe("");
+    expect(normalizeFingerprint("sha256:zz-!!")).toBe("");
+    expect(normalizeFingerprint("  sha256 : AB cd / 12  ")).toBe("abcd12");
+  });
+
+  it("only strips the sha256 prefix at the start of the value", () => {
+    expect(normalizeFingerprint("prefix sha256:AA:BB")).toBe("efa256aabb");
+  });
+});