[stunnel-users] Verify = 4 Fails Yet Again
Thomas Eifert
kxkvi at wi.rr.com
Fri Oct 25 17:33:28 CEST 2013
Mike,
Thanks, I tried it. I suspect they may have routed you to a different
server, because I'm not getting an expired certificate.
Here's the one I just pulled up using your openssl command:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert
High Assurance CA-3
Validity
Not Before: Jun 3 00:00:00 2013 GMT
Not After : Aug 10 12:00:00 2016 GMT
Subject: C=US, ST=California, L=Escondido, O=Forte Internet
Software, Inc., OU=IT, CN=*.forteinc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
1a:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
X509v3 Subject Alternative Name:
DNS:*.forteinc.com, DNS:forteinc.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ca3-g22.crl
Full Name:
URI:http://crl4.digicert.com/ca3-g22.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: http://www.digicert.com/ssl-cps-repository.htm
User Notice:
Explicit Text:
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers -
URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:
8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:
2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:
f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:
df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:
6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:
b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:
f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:
04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:
7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:
40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:
89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:
62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:
49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:
c7:b7:3a:08
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue
vw2kqH9uZ7dlx7c6CA==
-----END CERTIFICATE-----
This is the same certificate I've posted previously, and it's the one
that fails to verify.
Regards,
Thomas
On 10/25/2013 4:04 AM, Michal Trojnara wrote:
> On 10/25/2013 08:19 AM, Thomas Eifert wrote:
>> How would I access/save the expired certificate that you posted?
>>
>> Thanks again,
>>
>> Thomas
>>
>>
>> On 10/25/2013 12:17 AM, Michal Trojnara wrote:
>>>
>>> Now I could reproduce it and the solution was trivial: your news80
>>> host was configured to use a different (older) certificate.
>>>
>>> $ openssl s_client -connect news80.forteinc.com:443 2>/dev/null |
>>> openssl x509 -text
>
> You can access/save the expired certificate with "openssl s_client
> -connect news80.forteinc.com:443". This is how I did it.
>
> Mike
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
--
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
More information about the stunnel-users
mailing list