[stunnel-users] Verify = 4 Fails Yet Again

Thu Oct 24 21:57:06 CEST 2013

On 2013-10-19 03:59, Thomas Eifert wrote:
> I've just encountered another situation in which verify = 4 fails on a
> seemingly valid certificate.  Since I've previously
> posted details regarding this issue, I'm only going to post the
> certificate here.   This is the 3rd certificate I've run across
> in the past 6 months that fails to verify.  Can all 3 of the
> certificates be faulty, or is there an issue with Stunnel or
> OpenSSL here?

As strange as it may sound it just worked for me:

~/stunnel/src/tests$ cat forteinc.conf
foreground=yes
debug=7
pid=

[test_cli]
client=yes
accept=4321
connect=forteinc.com:443
cafile=forteinc.pem
verify=4

~/stunnel/src/tests$ cat forteinc.pem
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue
vw2kqH9uZ7dlx7c6CA==
-----END CERTIFICATE-----

~/stunnel/src/tests$ openssl x509 -in forteinc.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert
High Assurance CA-3
        Validity
            Not Before: Jun  3 00:00:00 2013 GMT
            Not After : Aug 10 12:00:00 2016 GMT
        Subject: C=US, ST=California, L=Escondido, O=Forte Internet
Software, Inc., OU=IT, CN=*.forteinc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
                    85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
                    0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
                    42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
                    d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
                    6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
                    0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
                    64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
                    73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
                    6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
                    6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
                    83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
                    45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
                    2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
                    af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
                    3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
                    4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
                    1a:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:

keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7

            X509v3 Subject Key Identifier:
                C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
            X509v3 Subject Alternative Name:
                DNS:*.forteinc.com, DNS:forteinc.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/ca3-g22.crl

                Full Name:
                  URI:http://crl4.digicert.com/ca3-g22.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114412.1.1
                  CPS: http://www.digicert.com/ssl-cps-repository.htm
                  User Notice:
                    Explicit Text:

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers -
URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
         7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:
         8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:
         2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:
         f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:
         df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:
         6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:
         b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:
         f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:
         04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:
         7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:
         40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:
         89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:
         62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:
         49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:
         c7:b7:3a:08

~/stunnel/src/tests$ ../stunnel forteinc.conf
2013.10.24 21:45:35 LOG7[19767]: Clients allowed=500
2013.10.24 21:45:35 LOG5[19767]: stunnel 5.00 on i686-pc-linux-gnu platform
2013.10.24 21:45:35 LOG5[19767]: Compiled/running with OpenSSL
1.0.1e-fips 11 Feb 2013
2013.10.24 21:45:35 LOG5[19767]: Threading:PTHREAD Sockets:POLL,IPv6
SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
2013.10.24 21:45:35 LOG5[19767]: Reading configuration from file
forteinc.conf
2013.10.24 21:45:35 LOG5[19767]: FIPS mode is disabled
2013.10.24 21:45:35 LOG7[19767]: Compression not enabled
2013.10.24 21:45:35 LOG7[19767]: Snagged 64 random bytes from
/home/mtrojnar/.rnd
2013.10.24 21:45:35 LOG7[19767]: Wrote 1024 new random bytes to
/home/mtrojnar/.rnd
2013.10.24 21:45:35 LOG7[19767]: PRNG seeded successfully
2013.10.24 21:45:35 LOG6[19767]: Initializing service [test_cli]
2013.10.24 21:45:35 LOG7[19767]: Loaded verify certificates from
forteinc.pem
2013.10.24 21:45:35 LOG7[19767]: Loaded forteinc.pem revocation lookup file
2013.10.24 21:45:35 LOG7[19767]: SSL options set: 0x00000004
2013.10.24 21:45:35 LOG5[19767]: Configuration successful
2013.10.24 21:45:35 LOG7[19767]: Service [test_cli] (FD=7) bound to
0.0.0.0:4321
2013.10.24 21:45:35 LOG7[19767]: No pid file being created
2013.10.24 21:45:46 LOG7[19767]: Service [test_cli] accepted (FD=3) from
127.0.0.1:44011
2013.10.24 21:45:46 LOG7[19772]: Service [test_cli] started
2013.10.24 21:45:46 LOG5[19772]: Service [test_cli] accepted connection
from 127.0.0.1:44011
2013.10.24 21:45:46 LOG6[19772]: connect_blocking: connecting
64.105.44.55:443
2013.10.24 21:45:46 LOG7[19772]: connect_blocking: s_poll_wait
64.105.44.55:443: waiting 10 seconds
2013.10.24 21:45:46 LOG5[19772]: connect_blocking: connected
64.105.44.55:443
2013.10.24 21:45:46 LOG5[19772]: Service [test_cli] connected remote
server from 207.192.69.165:53779
2013.10.24 21:45:46 LOG7[19772]: Remote socket (FD=8) initialized
2013.10.24 21:45:46 LOG7[19772]: SNI: sending servername: forteinc.com
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): before/connect
initialization
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write client
hello A
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read server
hello A
2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification:
depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3
2013.10.24 21:45:46 LOG6[19772]: *CERT: Invalid CA certificate ignored*
2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=1,
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification:
depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3
2013.10.24 21:45:46 LOG6[19772]: *CERT: Invalid CA certificate ignored*
2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=1,
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification:
depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software,
Inc./OU=IT/CN=*.forteinc.com
2013.10.24 21:45:46 LOG6[19772]: *CERT: Locally installed certificate
matched*
2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=0,
/C=US/ST=California/L=Escondido/O=Forte Internet Software,
Inc./OU=IT/CN=*.forteinc.com
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read server
certificate A
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read server
done A
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write client
key exchange A
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write change
cipher spec A
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write finished A
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 flush data
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read finished A
2013.10.24 21:45:46 LOG7[19772]:    1 items in the session cache
2013.10.24 21:45:46 LOG7[19772]:    1 client connects (SSL_connect())
2013.10.24 21:45:46 LOG7[19772]:    1 client connects that finished
2013.10.24 21:45:46 LOG7[19772]:    0 client renegotiations requested
2013.10.24 21:45:46 LOG7[19772]:    0 server connects (SSL_accept())
2013.10.24 21:45:46 LOG7[19772]:    0 server connects that finished
2013.10.24 21:45:46 LOG7[19772]:    0 server renegotiations requested
2013.10.24 21:45:46 LOG7[19772]:    0 session cache hits
2013.10.24 21:45:46 LOG7[19772]:    0 external session cache hits
2013.10.24 21:45:46 LOG7[19772]:    0 session cache misses
2013.10.24 21:45:46 LOG7[19772]:    0 session cache timeouts
2013.10.24 21:45:46 LOG7[19772]: Peer certificate was cached (4675 bytes)
2013.10.24 21:45:46 LOG6[19772]: SSL connected: new session negotiated
2013.10.24 21:45:46 LOG6[19772]: Negotiated TLSv1/SSLv3 ciphersuite:
AES256-SHA (256-bit encryption)
2013.10.24 21:45:46 LOG6[19772]: Compression: null, expansion: null
2013.10.24 21:45:52 LOG7[19772]: SSL alert (read): warning: close notify
2013.10.24 21:45:52 LOG6[19772]: SSL closed (SSL_read)
2013.10.24 21:45:52 LOG7[19772]: Sent socket write shutdown
2013.10.24 21:45:52 LOG6[19772]: Read socket closed (hangup)
2013.10.24 21:45:52 LOG6[19772]: Write socket closed (hangup)
2013.10.24 21:45:52 LOG7[19772]: Sending close_notify alert
2013.10.24 21:45:52 LOG7[19772]: SSL alert (write): warning: close notify
2013.10.24 21:45:52 LOG6[19772]: SSL_shutdown successfully sent
close_notify alert
2013.10.24 21:45:52 LOG5[19772]: Connection closed: 16 byte(s) sent to
SSL, 501 byte(s) sent to socket
2013.10.24 21:45:52 LOG7[19772]: Remote socket (FD=8) closed
2013.10.24 21:45:52 LOG7[19772]: Local socket (FD=3) closed
2013.10.24 21:45:52 LOG7[19772]: Service [test_cli] finished (0 left)
^C2013.10.24 21:45:54 LOG7[19767]: Dispatching signals from the signal pipe
2013.10.24 21:45:54 LOG3[19767]: Received signal 2; terminating
2013.10.24 21:45:54 LOG7[19767]: Closing service [test_cli]
2013.10.24 21:45:54 LOG7[19767]: Service [test_cli] closed (FD=7)
2013.10.24 21:45:54 LOG7[19767]: Sessions cached before flush: 1
2013.10.24 21:45:54 LOG7[19767]: Sessions cached after flush: 0
2013.10.24 21:45:54 LOG7[19767]: Service [test_cli] closed
2013.10.24 21:45:54 LOG7[19767]: str_stats: 11 block(s), 1816 data
byte(s), 462 control byte(s)

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131024/e48cd4d0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131024/e48cd4d0/attachment.sig>