Re: [stunnel-users] Verify = 4 Fails Yet Again

On 2013-10-25 00:33, Thomas Eifert wrote:

Here's my own test configuration:

debug = 7 fips = no delay = yes output = stunnel.log

[nntps.6] client = yes cafile = peer-nntps.6.pem verify = 4 accept = 127.0.0.1:119 connect = news80.forteinc.com:443

Now I could reproduce it and the solution was trivial: your news80 host was configured to use a different (older) certificate.

$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA Validity Not Before: May 2 00:00:00 2011 GMT Not After : Jul 9 23:59:59 2013 GMT Subject: C=US/postalCode=92026, ST=California, L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software, Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier:

keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B

X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.1.3.4 CPS: https://secure.comodo.com/CPS

X509v3 CRL Distribution Points:

Full Name:

URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl

Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com Signature Algorithm: sha1WithRSAEncryption a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62: b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd: bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa: 5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55: 6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d: f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57: 61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44: 21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73: 4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd: 54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d: e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf: bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c: 53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a: 7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a: 5e:70:c3:2b -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL 0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5 o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/ 1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4 SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5 yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw== -----END CERTIFICATE-----

Mike