[stunnel-users] Verify = 4 Fails Yet Again
Michal Trojnara
Michal.Trojnara at mirt.net
Fri Oct 25 07:17:07 CEST 2013
On 2013-10-25 00:33, Thomas Eifert wrote:
> Here's my own test configuration:
>
> debug = 7
> fips = no
> delay = yes
> output = stunnel.log
>
> [nntps.6]
> client = yes
> cafile = peer-nntps.6.pem
> verify = 4
> accept = 127.0.0.1:119
> connect = news80.forteinc.com:443
Now I could reproduce it and the solution was trivial: your news80 host
was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null |
openssl x509 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO High-Assurance Secure Server CA
Validity
Not Before: May 2 00:00:00 2011 GMT
Not After : Jul 9 23:59:59 2013 GMT
Subject: C=US/postalCode=92026, ST=California,
L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software,
Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, CN=*.forteinc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
1a:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B
X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.com/CPS
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
Authority Information Access:
CA Issuers -
URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:*.forteinc.com, DNS:forteinc.com
Signature Algorithm: sha1WithRSAEncryption
a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62:
b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd:
bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa:
5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55:
6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d:
f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57:
61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44:
21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73:
4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd:
54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d:
e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf:
bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c:
53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a:
7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a:
5e:70:c3:2b
-----BEGIN CERTIFICATE-----
MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k
aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y
dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl
cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG
A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT
yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL
0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q
E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5
o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx
RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/
1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4
SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI
MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz
dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB
BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh
bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j
b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M
TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V
bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5
yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg
SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc
U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw==
-----END CERTIFICATE-----
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131025/f1bd2346/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131025/f1bd2346/attachment.sig>
More information about the stunnel-users
mailing list