Re: [stunnel-users] Verify = 4 Fails Yet Again

25 Oct 2013


      Mike,
Thanks for the follow-up.
I'm unable to access the expired certificate.  I'm just using Stunnel's 
built-in peer certificate save function.
When I do this, here's the certificate that gets saved after I connect 
to news80.  It has a valid date range:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert 
High Assurance CA-3
         Validity
             Not Before: Jun  3 00:00:00 2013 GMT
             Not After : Aug 10 12:00:00 2016 GMT
         Subject: C=US, ST=California, L=Escondido, O=Forte Internet 
Software, Inc., OU=IT, CN=*.forteinc.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
                     85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
                     0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
                     42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
                     d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
                     6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
                     0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
                     64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
                     73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
                     6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
                     6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
                     83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
                     45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
                     2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
                     af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
                     3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
                     4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
                     1a:53
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
             X509v3 Subject Alternative Name:
                 DNS:*.forteinc.com, DNS:forteinc.com
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client 
Authentication
             X509v3 CRL Distribution Points:
Full Name:
                   URI:http://crl3.digicert.com/ca3-g22.crl
Full Name:
                   URI:http://crl4.digicert.com/ca3-g22.crl
X509v3 Certificate Policies:
                 Policy: 2.16.840.1.114412.1.1
                   CPS: http://www.digicert.com/ssl-cps-repository.htm
                   User Notice:
                     Explicit Text:
Authority Information Access:
                 OCSP - URI:http://ocsp.digicert.com
                 CA Issuers - 
URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical
                 CA:FALSE
     Signature Algorithm: sha1WithRSAEncryption
          7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:
          8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:
          2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:
          f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:
          df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:
          6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:
          b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:
          f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:
          04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:
          7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:
          40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:
          89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:
          62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:
          49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:
          c7:b7:3a:08
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue
vw2kqH9uZ7dlx7c6CA==
-----END CERTIFICATE-----
How would I access/save the expired certificate that you posted?
Thanks again,
Thomas
On 10/25/2013 12:17 AM, Michal Trojnara wrote:
...
Now I could reproduce it and the solution was trivial: your news80 
host was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | 
openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA 
Limited, CN=COMODO High-Assurance Secure Server CA
        Validity
            Not Before: May  2 00:00:00 2011 GMT
            Not After : Jul  9 23:59:59 2013 GMT
        Subject: C=US/postalCode=92026, ST=California, 
L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software, 
Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, 
CN=*.forteinc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
                    85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
                    0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
                    42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
                    d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
                    6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
                    0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
                    64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
                    73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
                    6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
                    6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
                    83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
                    45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
                    2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
                    af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
                    3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
                    4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
                    1a:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B
        X509v3 Subject Key Identifier:

C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client 
Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
                  CPS: https://secure.comodo.com/CPS
        X509v3 CRL Distribution Points:

            Full Name:


URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
        Authority Information Access:
            CA Issuers - 

URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com
        X509v3 Subject Alternative Name:
            DNS:*.forteinc.com, DNS:forteinc.com
Signature Algorithm: sha1WithRSAEncryption
     a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62:
     b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd:
     bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa:
     5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55:
     6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d:
     f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57:
     61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44:
     21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73:
     4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd:
     54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d:
     e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf:
     bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c:
     53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a:
     7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a:
     5e:70:c3:2b

-----BEGIN CERTIFICATE-----
MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k
aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y
dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl
cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG
A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT
yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL
0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q
E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5
o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx
RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/
1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4
SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI
MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz
dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB
BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh
bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j
b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M
TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V
bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5
yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg
SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc
U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw==
-----END CERTIFICATE-----
-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [stunnel-users] Verify = 4 Fails Yet Again