I've just encountered another situation in which verify = 4 fails on a seemingly valid certificate. Since I've previously posted details regarding this issue, I'm only going to post the certificate here. This is the 3rd certificate I've run across in the past 6 months that fails to verify. Can all 3 of the certificates be faulty, or is there an issue with Stunnel or OpenSSL here?
Thomas
-----BEGIN CERTIFICATE----- MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0 Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX 96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue vw2kqH9uZ7dlx7c6CA== -----END CERTIFICATE-----
Once again, manually adding the certificate of the issuing CA to the corresponding .pem file clears the issue. I simply pasted it directly below the server cert.
Thomas
On 10/18/2013 8:59 PM, Thomas Eifert wrote:
I've just encountered another situation in which verify = 4 fails on a seemingly valid certificate. Since I've previously posted details regarding this issue, I'm only going to post the certificate here. This is the 3rd certificate I've run across in the past 6 months that fails to verify. Can all 3 of the certificates be faulty, or is there an issue with Stunnel or OpenSSL here?
Thomas
-----BEGIN CERTIFICATE----- MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0 Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX 96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue vw2kqH9uZ7dlx7c6CA== -----END CERTIFICATE-----
On 2013-10-19 03:59, Thomas Eifert wrote:
I've just encountered another situation in which verify = 4 fails on a seemingly valid certificate. Since I've previously posted details regarding this issue, I'm only going to post the certificate here. This is the 3rd certificate I've run across in the past 6 months that fails to verify. Can all 3 of the certificates be faulty, or is there an issue with Stunnel or OpenSSL here?
Thank you very much for the sample certificate. I'll try to identify the root cause and I'll send the results to the mailing list.
Mike
On 2013-10-19 03:59, Thomas Eifert wrote:
I've just encountered another situation in which verify = 4 fails on a seemingly valid certificate. Since I've previously posted details regarding this issue, I'm only going to post the certificate here. This is the 3rd certificate I've run across in the past 6 months that fails to verify. Can all 3 of the certificates be faulty, or is there an issue with Stunnel or OpenSSL here?
As strange as it may sound it just worked for me:
~/stunnel/src/tests$ cat forteinc.conf foreground=yes debug=7 pid=
[test_cli] client=yes accept=4321 connect=forteinc.com:443 cafile=forteinc.pem verify=4
~/stunnel/src/tests$ cat forteinc.pem -----BEGIN CERTIFICATE----- MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0 Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX 96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue vw2kqH9uZ7dlx7c6CA== -----END CERTIFICATE-----
~/stunnel/src/tests$ openssl x509 -in forteinc.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3 Validity Not Before: Jun 3 00:00:00 2013 GMT Not After : Aug 10 12:00:00 2016 GMT Subject: C=US, ST=California, L=Escondido, O=Forte Internet Software, Inc., OU=IT, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points:
Full Name: URI:http://crl3.digicert.com/ca3-g22.crl
Full Name: URI:http://crl4.digicert.com/ca3-g22.crl
X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text:
Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha1WithRSAEncryption 7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91: 8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37: 2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4: f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57: df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8: 6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e: b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da: f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50: 04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d: 7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c: 40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76: 89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db: 62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24: 49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65: c7:b7:3a:08
~/stunnel/src/tests$ ../stunnel forteinc.conf 2013.10.24 21:45:35 LOG7[19767]: Clients allowed=500 2013.10.24 21:45:35 LOG5[19767]: stunnel 5.00 on i686-pc-linux-gnu platform 2013.10.24 21:45:35 LOG5[19767]: Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 2013.10.24 21:45:35 LOG5[19767]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2013.10.24 21:45:35 LOG5[19767]: Reading configuration from file forteinc.conf 2013.10.24 21:45:35 LOG5[19767]: FIPS mode is disabled 2013.10.24 21:45:35 LOG7[19767]: Compression not enabled 2013.10.24 21:45:35 LOG7[19767]: Snagged 64 random bytes from /home/mtrojnar/.rnd 2013.10.24 21:45:35 LOG7[19767]: Wrote 1024 new random bytes to /home/mtrojnar/.rnd 2013.10.24 21:45:35 LOG7[19767]: PRNG seeded successfully 2013.10.24 21:45:35 LOG6[19767]: Initializing service [test_cli] 2013.10.24 21:45:35 LOG7[19767]: Loaded verify certificates from forteinc.pem 2013.10.24 21:45:35 LOG7[19767]: Loaded forteinc.pem revocation lookup file 2013.10.24 21:45:35 LOG7[19767]: SSL options set: 0x00000004 2013.10.24 21:45:35 LOG5[19767]: Configuration successful 2013.10.24 21:45:35 LOG7[19767]: Service [test_cli] (FD=7) bound to 0.0.0.0:4321 2013.10.24 21:45:35 LOG7[19767]: No pid file being created 2013.10.24 21:45:46 LOG7[19767]: Service [test_cli] accepted (FD=3) from 127.0.0.1:44011 2013.10.24 21:45:46 LOG7[19772]: Service [test_cli] started 2013.10.24 21:45:46 LOG5[19772]: Service [test_cli] accepted connection from 127.0.0.1:44011 2013.10.24 21:45:46 LOG6[19772]: connect_blocking: connecting 64.105.44.55:443 2013.10.24 21:45:46 LOG7[19772]: connect_blocking: s_poll_wait 64.105.44.55:443: waiting 10 seconds 2013.10.24 21:45:46 LOG5[19772]: connect_blocking: connected 64.105.44.55:443 2013.10.24 21:45:46 LOG5[19772]: Service [test_cli] connected remote server from 207.192.69.165:53779 2013.10.24 21:45:46 LOG7[19772]: Remote socket (FD=8) initialized 2013.10.24 21:45:46 LOG7[19772]: SNI: sending servername: forteinc.com 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): before/connect initialization 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write client hello A 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read server hello A 2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification: depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 2013.10.24 21:45:46 LOG6[19772]: *CERT: Invalid CA certificate ignored* 2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification: depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 2013.10.24 21:45:46 LOG6[19772]: *CERT: Invalid CA certificate ignored* 2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 21:45:46 LOG6[19772]: *CERT: Locally installed certificate matched* 2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read server certificate A 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read server done A 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write client key exchange A 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write change cipher spec A 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write finished A 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 flush data 2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read finished A 2013.10.24 21:45:46 LOG7[19772]: 1 items in the session cache 2013.10.24 21:45:46 LOG7[19772]: 1 client connects (SSL_connect()) 2013.10.24 21:45:46 LOG7[19772]: 1 client connects that finished 2013.10.24 21:45:46 LOG7[19772]: 0 client renegotiations requested 2013.10.24 21:45:46 LOG7[19772]: 0 server connects (SSL_accept()) 2013.10.24 21:45:46 LOG7[19772]: 0 server connects that finished 2013.10.24 21:45:46 LOG7[19772]: 0 server renegotiations requested 2013.10.24 21:45:46 LOG7[19772]: 0 session cache hits 2013.10.24 21:45:46 LOG7[19772]: 0 external session cache hits 2013.10.24 21:45:46 LOG7[19772]: 0 session cache misses 2013.10.24 21:45:46 LOG7[19772]: 0 session cache timeouts 2013.10.24 21:45:46 LOG7[19772]: Peer certificate was cached (4675 bytes) 2013.10.24 21:45:46 LOG6[19772]: SSL connected: new session negotiated 2013.10.24 21:45:46 LOG6[19772]: Negotiated TLSv1/SSLv3 ciphersuite: AES256-SHA (256-bit encryption) 2013.10.24 21:45:46 LOG6[19772]: Compression: null, expansion: null 2013.10.24 21:45:52 LOG7[19772]: SSL alert (read): warning: close notify 2013.10.24 21:45:52 LOG6[19772]: SSL closed (SSL_read) 2013.10.24 21:45:52 LOG7[19772]: Sent socket write shutdown 2013.10.24 21:45:52 LOG6[19772]: Read socket closed (hangup) 2013.10.24 21:45:52 LOG6[19772]: Write socket closed (hangup) 2013.10.24 21:45:52 LOG7[19772]: Sending close_notify alert 2013.10.24 21:45:52 LOG7[19772]: SSL alert (write): warning: close notify 2013.10.24 21:45:52 LOG6[19772]: SSL_shutdown successfully sent close_notify alert 2013.10.24 21:45:52 LOG5[19772]: Connection closed: 16 byte(s) sent to SSL, 501 byte(s) sent to socket 2013.10.24 21:45:52 LOG7[19772]: Remote socket (FD=8) closed 2013.10.24 21:45:52 LOG7[19772]: Local socket (FD=3) closed 2013.10.24 21:45:52 LOG7[19772]: Service [test_cli] finished (0 left) ^C2013.10.24 21:45:54 LOG7[19767]: Dispatching signals from the signal pipe 2013.10.24 21:45:54 LOG3[19767]: Received signal 2; terminating 2013.10.24 21:45:54 LOG7[19767]: Closing service [test_cli] 2013.10.24 21:45:54 LOG7[19767]: Service [test_cli] closed (FD=7) 2013.10.24 21:45:54 LOG7[19767]: Sessions cached before flush: 1 2013.10.24 21:45:54 LOG7[19767]: Sessions cached after flush: 0 2013.10.24 21:45:54 LOG7[19767]: Service [test_cli] closed 2013.10.24 21:45:54 LOG7[19767]: str_stats: 11 block(s), 1816 data byte(s), 462 control byte(s)
Mike
Mike,
I'm not having your luck. Out of ten services, I have eight verfiy = 4's that work as they should, and two that need the CA certificate to be added.
Here's my log output for the same server certificate that you tested. (without adding the certificate of the CA)
Thomas
2013.10.24 16:01:03 LOG7[2824:2876]: Service [nntps.6] accepted (FD=588) from 127.0.0.1:49411 2013.10.24 16:01:03 LOG7[2824:2876]: Creating a new thread 2013.10.24 16:01:03 LOG7[2824:2876]: New thread created 2013.10.24 16:01:03 LOG7[2824:2228]: Service [nntps.6] started 2013.10.24 16:01:03 LOG5[2824:2228]: Service [nntps.6] accepted connection from 127.0.0.1:49411 2013.10.24 16:01:04 LOG6[2824:2228]: connect_blocking: connecting 69.16.186.7:443 2013.10.24 16:01:04 LOG7[2824:2228]: connect_blocking: s_poll_wait 69.16.186.7:443: waiting 10 seconds 2013.10.24 16:01:04 LOG5[2824:2228]: connect_blocking: connected 69.16.186.7:443 2013.10.24 16:01:04 LOG5[2824:2228]: Service [nntps.6] connected remote server from 192.168.5.9:49412 2013.10.24 16:01:04 LOG7[2824:2228]: Remote socket (FD=596) initialized 2013.10.24 16:01:04 LOG7[2824:2228]: SNI: sending servername: news80.forteinc.com 2013.10.24 16:01:04 LOG7[2824:2228]: SSL state (connect): before/connect initialization 2013.10.24 16:01:04 LOG7[2824:2228]: SSL state (connect): SSLv3 write client hello A 2013.10.24 16:01:04 LOG7[2824:2228]: SSL state (connect): SSLv3 read server hello A 2013.10.24 16:01:04 LOG7[2824:2228]: Starting certificate verification: depth=0, /C=US/postalCode=92026/ST=California/L=Escondido/street=2223 Bent Tree Place/O=Forte Internet Software, Inc./OU=Internet Services/OU=Comodo PremiumSSL Wildcard/CN=*.forteinc.com 2013.10.24 16:01:04 LOG4[2824:2228]: CERT: Verification error: unable to get local issuer certificate 2013.10.24 16:01:04 LOG4[2824:2228]: Certificate check failed: depth=0, /C=US/postalCode=92026/ST=California/L=Escondido/street=2223 Bent Tree Place/O=Forte Internet Software, Inc./OU=Internet Services/OU=Comodo PremiumSSL Wildcard/CN=*.forteinc.com 2013.10.24 16:01:04 LOG7[2824:2228]: SSL alert (write): fatal: unknown CA 2013.10.24 16:01:04 LOG3[2824:2228]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2013.10.24 16:01:04 LOG5[2824:2228]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.10.24 16:01:04 LOG7[2824:2228]: Remote socket (FD=596) closed 2013.10.24 16:01:04 LOG7[2824:2228]: Local socket (FD=588) closed 2013.10.24 16:01:04 LOG7[2824:2228]: Service [nntps.6] finished (1 left)
On 10/24/2013 2:57 PM, Michal Trojnara wrote:
As strange as it may sound it just worked for me:
On 2013-10-24 23:07, Thomas Eifert wrote:
I'm not having your luck. Out of ten services, I have eight verfiy = 4's that work as they should, and two that need the CA certificate to be added.
I don't think it's about luck. I'm pretty sure there is something wrong with your configuration. The one I sent you works fine. I won't be able to diagnose yours, because you didn't send it. Please try to reproduce my setup first. If it doesn't help solve the problem immediately, send me your setup so I can reproduce your error.
BTW: I highly recommend reading: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html http://www.chiark.greenend.org.uk/%7Esgtatham/bugs.html
Mike
Mike,
I tried your config. I had to comment out the foreground and pid statements, as they produced error messages (I'm running under Win 7). I also had to change the server address to a valid one, but in any case I'm it's producing the same error. Here's the log:
2013.10.24 17:23:28 LOG7[2824:2876]: Service [test_cli] accepted (FD=436) from 127.0.0.1:49487 2013.10.24 17:23:28 LOG7[2824:2876]: Creating a new thread 2013.10.24 17:23:28 LOG7[2824:2876]: New thread created 2013.10.24 17:23:28 LOG7[2824:3420]: Service [test_cli] started 2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] accepted connection from 127.0.0.1:49487 2013.10.24 17:23:28 LOG6[2824:3420]: connect_blocking: connecting 69.16.186.7:443 2013.10.24 17:23:28 LOG7[2824:3420]: connect_blocking: s_poll_wait 69.16.186.7:443: waiting 10 seconds 2013.10.24 17:23:28 LOG5[2824:3420]: connect_blocking: connected 69.16.186.7:443 2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] connected remote server from 192.168.5.9:49488 2013.10.24 17:23:28 LOG7[2824:3420]: Remote socket (FD=608) initialized 2013.10.24 17:23:28 LOG7[2824:3420]: SNI: sending servername: news80.forteinc.com 2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): before/connect initialization 2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): SSLv3 write client hello A 2013.10.24 17:23:29 LOG7[2824:3420]: SSL state (connect): SSLv3 read server hello A 2013.10.24 17:23:29 LOG7[2824:3420]: Starting certificate verification: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 17:23:29 LOG4[2824:3420]: CERT: Verification error: unable to get local issuer certificate 2013.10.24 17:23:29 LOG4[2824:3420]: Certificate check failed: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 17:23:29 LOG7[2824:3420]: SSL alert (write): fatal: unknown CA 2013.10.24 17:23:29 LOG3[2824:3420]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2013.10.24 17:23:29 LOG5[2824:3420]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.10.24 17:23:29 LOG7[2824:3420]: Remote socket (FD=608) closed 2013.10.24 17:23:29 LOG7[2824:3420]: Local socket (FD=436) closed 2013.10.24 17:23:29 LOG7[2824:3420]: Service [test_cli] finished (1 left)
Here's my own test configuration:
debug = 7 fips = no delay = yes output = stunnel.log
[nntps.6] client = yes cafile = peer-nntps.6.pem verify = 4 accept = 127.0.0.1:119 connect = news80.forteinc.com:443
Regards,
Thomas
On 10/24/2013 4:19 PM, Michal Trojnara wrote:
On 2013-10-24 23:07, Thomas Eifert wrote:
I'm not having your luck. Out of ten services, I have eight verfiy = 4's that work as they should, and two that need the CA certificate to be added.
I don't think it's about luck. I'm pretty sure there is something wrong with your configuration. The one I sent you works fine. I won't be able to diagnose yours, because you didn't send it. Please try to reproduce my setup first. If it doesn't help solve the problem immediately, send me your setup so I can reproduce your error.
BTW: I highly recommend reading: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html http://www.chiark.greenend.org.uk/%7Esgtatham/bugs.html
Mike
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On 2013-10-25 00:33, Thomas Eifert wrote:
Here's my own test configuration:
debug = 7 fips = no delay = yes output = stunnel.log
[nntps.6] client = yes cafile = peer-nntps.6.pem verify = 4 accept = 127.0.0.1:119 connect = news80.forteinc.com:443
Now I could reproduce it and the solution was trivial: your news80 host was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA Validity Not Before: May 2 00:00:00 2011 GMT Not After : Jul 9 23:59:59 2013 GMT Subject: C=US/postalCode=92026, ST=California, L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software, Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier:
keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B
X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.1.3.4 CPS: https://secure.comodo.com/CPS
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com Signature Algorithm: sha1WithRSAEncryption a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62: b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd: bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa: 5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55: 6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d: f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57: 61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44: 21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73: 4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd: 54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d: e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf: bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c: 53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a: 7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a: 5e:70:c3:2b -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL 0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5 o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/ 1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4 SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5 yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw== -----END CERTIFICATE-----
Mike
Mike,
Thanks for the follow-up.
I'm unable to access the expired certificate. I'm just using Stunnel's built-in peer certificate save function. When I do this, here's the certificate that gets saved after I connect to news80. It has a valid date range:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf Certificate: Data: Version: 3 (0x2) Serial Number: 0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3 Validity Not Before: Jun 3 00:00:00 2013 GMT Not After : Aug 10 12:00:00 2016 GMT Subject: C=US, ST=California, L=Escondido, O=Forte Internet Software, Inc., OU=IT, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points:
Full Name: URI:http://crl3.digicert.com/ca3-g22.crl
Full Name: URI:http://crl4.digicert.com/ca3-g22.crl
X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text:
Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha1WithRSAEncryption 7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91: 8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37: 2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4: f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57: df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8: 6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e: b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da: f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50: 04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d: 7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c: 40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76: 89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db: 62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24: 49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65: c7:b7:3a:08 -----BEGIN CERTIFICATE----- MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0 Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX 96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue vw2kqH9uZ7dlx7c6CA== -----END CERTIFICATE-----
How would I access/save the expired certificate that you posted?
Thanks again,
Thomas
On 10/25/2013 12:17 AM, Michal Trojnara wrote:
Now I could reproduce it and the solution was trivial: your news80 host was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA Validity Not Before: May 2 00:00:00 2011 GMT Not After : Jul 9 23:59:59 2013 GMT Subject: C=US/postalCode=92026, ST=California, L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software, Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B
X509v3 Subject Key Identifier:C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.1.3.4 CPS: https://secure.comodo.com/CPS
X509v3 CRL Distribution Points: Full Name:URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
Authority Information Access: CA Issuers -URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com Signature Algorithm: sha1WithRSAEncryption a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62: b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd: bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa: 5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55: 6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d: f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57: 61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44: 21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73: 4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd: 54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d: e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf: bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c: 53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a: 7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a: 5e:70:c3:2b-----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL 0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5 o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/ 1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4 SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5 yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw== -----END CERTIFICATE-----
On 10/25/2013 08:19 AM, Thomas Eifert wrote:
How would I access/save the expired certificate that you posted?
Thanks again,
Thomas
On 10/25/2013 12:17 AM, Michal Trojnara wrote:
Now I could reproduce it and the solution was trivial: your news80 host was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | openssl x509 -text
You can access/save the expired certificate with "openssl s_client -connect news80.forteinc.com:443". This is how I did it.
Mike
Mike,
Thanks, I tried it. I suspect they may have routed you to a different server, because I'm not getting an expired certificate. Here's the one I just pulled up using your openssl command:
Certificate: Data: Version: 3 (0x2) Serial Number: 0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3 Validity Not Before: Jun 3 00:00:00 2013 GMT Not After : Aug 10 12:00:00 2016 GMT Subject: C=US, ST=California, L=Escondido, O=Forte Internet Software, Inc., OU=IT, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points:
Full Name: URI:http://crl3.digicert.com/ca3-g22.crl
Full Name: URI:http://crl4.digicert.com/ca3-g22.crl
X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text:
Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha1WithRSAEncryption 7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91: 8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37: 2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4: f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57: df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8: 6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e: b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da: f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50: 04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d: 7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c: 40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76: 89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db: 62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24: 49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65: c7:b7:3a:08 -----BEGIN CERTIFICATE----- MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0 Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX 96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue vw2kqH9uZ7dlx7c6CA== -----END CERTIFICATE-----
This is the same certificate I've posted previously, and it's the one that fails to verify.
Regards,
Thomas
On 10/25/2013 4:04 AM, Michal Trojnara wrote:
On 10/25/2013 08:19 AM, Thomas Eifert wrote:
How would I access/save the expired certificate that you posted?
Thanks again,
Thomas
On 10/25/2013 12:17 AM, Michal Trojnara wrote:
Now I could reproduce it and the solution was trivial: your news80 host was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | openssl x509 -text
You can access/save the expired certificate with "openssl s_client -connect news80.forteinc.com:443". This is how I did it.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Michal Trojnara -
Thomas Eifert