VerifyPeer = yes not working. - stunnel-users

4 Feb 2020


      I'm running Stunnel 5.56 under Windows 10 v1909 x64.
I have uncovered a case in which VerifyPeer = yes is not working. What's 
happening is that the locally installed
certificate is old and expired, and does not match the current, 
up-to-date server certificate, yet Stunnel is letting
it pass and verifying okay.  I've pasted the certificates, config, and 
log below, and clearly the certificates are different.
Regards,
Thomas
From my config file:
debug = 7
delay = yes
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_LINGER=1:60
socket = r:SO_LINGER=1:60
[ircs.3]
client = yes
sslVersionMin = TLSv1.2
cafile = peer-ircs.3.pem
verifyPeer = yes
accept = 127.0.0.1:8909
connect = halcyon.il.us.dal.net:6697
From the Stunnel log:
2020.02.04 12:41:50 LOG5[9]: Service [ircs.3] connected remote server 
from 104.231.234.35:62290
2020.02.04 12:41:50 LOG7[9]: Setting remote socket options (FD=1012)
2020.02.04 12:41:50 LOG7[9]: Option SO_LINGER set on remote socket
2020.02.04 12:41:50 LOG7[9]: Option TCP_NODELAY set on remote socket
2020.02.04 12:41:50 LOG7[9]: Remote descriptor (FD=1012) initialized
2020.02.04 12:41:50 LOG6[9]: SNI: sending servername: halcyon.il.us.dal.net
2020.02.04 12:41:50 LOG6[9]: Peer certificate required
2020.02.04 12:41:50 LOG7[9]: TLS state (connect): before SSL initialization
2020.02.04 12:41:50 LOG7[9]: TLS state (connect): SSLv3/TLS write client 
hello
2020.02.04 12:41:50 LOG7[9]: TLS state (connect): SSLv3/TLS write client 
hello
2020.02.04 12:41:50 LOG7[9]: TLS state (connect): SSLv3/TLS read server 
hello
2020.02.04 12:41:50 LOG7[9]: TLS state (connect): TLSv1.3 read encrypted 
extensions
2020.02.04 12:41:50 LOG7[9]: Verification started at depth=1: C=US, 
O=Let's Encrypt, CN=Let's Encrypt Authority X3
2020.02.04 12:41:50 LOG6[9]: CERT: Pre-verification error ignored: 
unable to get issuer certificate
2020.02.04 12:41:50 LOG6[9]: Certificate accepted at depth=1: C=US, 
O=Let's Encrypt, CN=Let's Encrypt Authority X3
2020.02.04 12:41:50 LOG7[9]: Verification started at depth=0: CN=*.dal.net
2020.02.04 12:41:50 LOG7[9]: CERT: Pre-verification succeeded
2020.02.04 12:41:50 LOG6[9]: CERT: No subject checks configured
2020.02.04 12:41:50 LOG6[9]: CERT: Locally installed certificate matched
2020.02.04 12:41:50 LOG5[9]: Certificate accepted at depth=0: CN=*.dal.net
Here is the locally installed certificate:
-----BEGIN CERTIFICATE-----
MIIFeDCCBGCgAwIBAgISA4aqIgapILZTQatLgMyS1gJ7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA2MDEwNDEzMjlaFw0x
OTA4MzAwNDEzMjlaMBQxEjAQBgNVBAMMCSouZGFsLm5ldDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKk+ZRY6Kr4GUS9hU+AUvgUrRzffLS4ScDNvk88F
HXKe6Yx3oJnMJEGC9a5I9nJATcItOa+Xk6NKFIsGQZhFOTkV9xvbaEw2KZ14SIKK
NsffEqZeQ/TUdMaHTeDXJxj1gfa+W9FK6uO1TzKrYQamdegXAv55F6KLeIPTjZj3
77AkdWuddimY3rp0gK/R1e2tkFtP/0ZeWuu1M736b6dtjXFIhzw3G8wurbGfBgfO
TebZL3Kw0X5qOlyMQyOyXXUyRZMqgW7PMloGtGQ/PJKoTzqNmyWO93QB28PGHDm8
WgnSdwgXlTmVrL9Vwnzb5FIfcM1ba5nzqDGeg7tG5RcQEGkCAwEAAaOCAowwggKI
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUpVm+qZ/cdM/H1vr7emXvf14+/0AwHwYD
VR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4G
CCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8G
CCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzBD
BgNVHREEPDA6ggkqLmRhbC5uZXSCDyouaWwudXMuZGFsLm5ldIIOKi5pcHY2LmRh
bC5uZXSCDCoudXMuZGFsLm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
ZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AOJpS64m6OlACeiGG7Y7g9Q+5/50
iPukjyiTAZ3d8dv+AAABaxF1ApUAAAQDAEcwRQIgGvt1P3YI9iDIkicmKnWtdA4J
vwiZqB6GoGQEBnFLQuECIQDUzbe30Y4kfobQTA0qLZ85jvNFDtRzbRd9wCPXwcqO
uwB1ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABaxF1ArgAAAQD
AEYwRAIgQ/jYKgNmSMGEmyVgrVBClbEawnND/kPXIZx82My6ovYCIGctTKC5u6bJ
J+zCRH5QrSKMF1lOtXDeNMgYlLx7JOKLMA0GCSqGSIb3DQEBCwUAA4IBAQAcxj0r
mrqFY5KluKfki7LzlXLnYGDEnaTCX3WC4trR/zDsKwLT2z/ywWjQ5O/zKk/N1+ad
0Pk9DMe0jc/AmvYPgzII7rOYIv7FF/J8z4UKF0uuxjvwvAhXr/JDKvNMkOn3Rtrw
agf0eu3xyXwUty6Iip0WfrSYHcy19OrXzwaSLdMdJ5hz9CY6D+7tLk0g2+xI7XnT
D+gU1J+g291HfNJet2hzmJn/I7gUJdareqSI9HtXuHw1f+LcQflAhxaTPRGgm65F
XpnF9tQvtRMJFWiIO9YSrKjq9gJaW3YlN7CTDzNqtjnA3+I8gT7jCqFHYAH3ZLMu
6fJy+BkrQctqjWWp
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Here is the remote server certificate:
-----BEGIN CERTIFICATE-----
MIIFeTCCBGGgAwIBAgISBMC6zEv90htsFIzCbGOKGCpvMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAxMjgwNTIzMjFaFw0y
MDA0MjcwNTIzMjFaMBQxEjAQBgNVBAMMCSouZGFsLm5ldDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKk+ZRY6Kr4GUS9hU+AUvgUrRzffLS4ScDNvk88F
HXKe6Yx3oJnMJEGC9a5I9nJATcItOa+Xk6NKFIsGQZhFOTkV9xvbaEw2KZ14SIKK
NsffEqZeQ/TUdMaHTeDXJxj1gfa+W9FK6uO1TzKrYQamdegXAv55F6KLeIPTjZj3
77AkdWuddimY3rp0gK/R1e2tkFtP/0ZeWuu1M736b6dtjXFIhzw3G8wurbGfBgfO
TebZL3Kw0X5qOlyMQyOyXXUyRZMqgW7PMloGtGQ/PJKoTzqNmyWO93QB28PGHDm8
WgnSdwgXlTmVrL9Vwnzb5FIfcM1ba5nzqDGeg7tG5RcQEGkCAwEAAaOCAo0wggKJ
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUpVm+qZ/cdM/H1vr7emXvf14+/0AwHwYD
VR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4G
CCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8G
CCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzBD
BgNVHREEPDA6ggkqLmRhbC5uZXSCDyouaWwudXMuZGFsLm5ldIIOKi5pcHY2LmRh
bC5uZXSCDCoudXMuZGFsLm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ALIeBcyLos2KIE6HZvkruYolIGdr
2vpw57JJUy3vi5BeAAABb+rRlmkAAAQDAEgwRgIhAOG8C3vcxqEvj3TSqe7Y7peQ
OInmtrkR0eQ9OFLVUIeUAiEAp0ONBILMiR2i0dVimSXFJv9NJDa3wi3tt3bRF5OO
eDMAdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAW/q0ZafAAAE
AwBGMEQCIBxS2C2cCPWFKKzof8BduUN6UFiWnyoRqAGAMG36IgylAiBjFDiXnuJs
bVorvhguH6J9+YcPC36yFohKBCh+V7M0nzANBgkqhkiG9w0BAQsFAAOCAQEAnDE3
p/uxes7SKdspdwIhsC4Jwn3ulm4sGcbhJVBRWyYxp7ucGJdy/PxcEfb/CD5sszbw
9hsM56B7gno8ts/yNGvpceIoGEa7oK4AycEeWfapp5M9s11HyE06HwDfTA7wc1Kv
g+PkHmbqZkLziN+UdPIlRm8dSljusvsNY1cMGRt5fszMJ5+gOaC3gj2AB6+aGIeN
cwwNX3BlX10v88I3OUAkDWNlmPERA5BXo88ucZ75SwRZg7H8s66wdMYFi2LvbTHV
GsXyDPVKnyViBtGCNI14UEmTDjUiHmqtzjqK2BTpSzNGYXjuPe1Zz0VIZDERPWin
YxseV8k6nrZgr51Eag==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.