[stunnel-users] Client Authentication and CRL Verification
Mehdi B.
likarum at gmail.com
Wed Dec 2 15:16:50 CET 2015
Hello
It's my mistake.
When I configured the server/client, I think : "Connection will open and die"
In reality, connection still opened, but the certificate is denied,
when we use it.
Sorry
2015-12-02 14:37 GMT+01:00 Michal Trojnara <Michal.Trojnara at mirt.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I noticed a typo in my email. What I meant was:
> "If nothing is logged *then* this instance of stunnel is not used at
> all (which clearly explains why it doesn't work as expected)."
>
> Mike
>
>
> On 02.12.2015 14:34, Michal Trojnara wrote:
>> Hi Mehdi B.,
>>
>> You still didn't include the logs of an actual attempted
>> connection.
>>
>> Every connection serviced by stunnel logs a number of lines. If
>> nothing is logged than this instance of stunnel is not used at all
>> (which clearly explains why it doesn't work as expected).
>>
>> Mike
>>
>> On 02.12.2015 14:23, Mehdi B. wrote:
>>> Hi
>>
>>> I try an easiest configuration :
>>
>>> root at auditd:~# cat /etc/stunnel/2.conf| sed '/^;/d;/^$/d' debug
>>> = 7 output = /var/lib/stunnel/2/log/2.log [2] verify = 2 CRLfile
>>> = /var/lib/stunnel/2/crl/CA.crl.pem CAFile =
>>> /var/lib/stunnel/2/ca/CA.pem cert = /var/lib/stunnel/2/2.cert
>>> key = /var/lib/stunnel/2/2.key client = yes accept = 127.0.0.1:23
>>> connect = 127.0.0.1:59062
>>
>>
>>
>>
>>> Doesn't work :
>>
>>> 2015.12.02 14:14:19 LOG7[cron]: Cron started 2015.12.02 14:14:19
>>> LOG7[ui]: Clients allowed=500 2015.12.02 14:14:19 LOG5[ui]:
>>> stunnel 5.26 on x86_64-unknown-linux-gnu platform 2015.12.02
>>> 14:14:19 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb
>>> 2013 2015.12.02 14:14:19 LOG5[ui]: Threading:PTHREAD
>>> Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2015.12.02
>>> 14:14:19 LOG7[ui]: errno: (*__errno_location ()) 2015.12.02
>>> 14:14:19 LOG5[ui]: Reading configuration from file
>>> /etc/stunnel/2.conf 2015.12.02 14:14:19 LOG5[ui]: UTF-8 byte
>>> order mark not detected 2015.12.02 14:14:19 LOG5[ui]: FIPS mode
>>> disabled 2015.12.02 14:14:19 LOG7[ui]: Compression disabled
>>> 2015.12.02 14:14:19 LOG7[ui]: Snagged 64 random bytes from
>>> /root/.rnd 2015.12.02 14:14:19 LOG7[ui]: Wrote 1024 new random
>>> bytes to /root/.rnd 2015.12.02 14:14:19 LOG7[ui]: PRNG seeded
>>> successfully 2015.12.02 14:14:19 LOG6[ui]: Initializing service
>>> [2] 2015.12.02 14:14:19 LOG6[ui]: Loading certificate from file:
>>> /var/lib/stunnel/2/2.cert 2015.12.02 14:14:19 LOG6[ui]: Loading
>>> key from file: /var/lib/stunnel/2/2.key 2015.12.02 14:14:19
>>> LOG7[ui]: Private key check succeeded 2015.12.02 14:14:19
>>> LOG7[ui]: Loaded /var/lib/stunnel/2/crl/CA.crl.pem revocation
>>> lookup file 2015.12.02 14:14:19 LOG4[ui]: Service [2] uses
>>> "verify = 2" without subject checks 2015.12.02 14:14:19 LOG4[ui]:
>>> Rebuild your stunnel against OpenSSL version 1.0.2 or higher
>>> 2015.12.02 14:14:19 LOG4[ui]: Use "checkHost" or "checkIP" to
>>> restrict trusted certificates 2015.12.02 14:14:19 LOG7[ui]: SSL
>>> options: 0x03000004 (+0x03000000, -0x00000000) 2015.12.02
>>> 14:14:19 LOG5[ui]: Configuration successful 2015.12.02 14:14:19
>>> LOG7[ui]: Listening file descriptor created (FD=6) 2015.12.02
>>> 14:14:19 LOG7[ui]: Service [2] (FD=6) bound to 127.0.0.1:23
>>> 2015.12.02 14:14:19 LOG7[main]: No pid file being created
>>
>>> CRL doesn't work, because I don't do a checkHost?
>>
>>> Regards
>>
>>> 2015-12-02 13:59 GMT+01:00 Mehdi B. <likarum at gmail.com>:
>>>> Hello
>>>>
>>>> I'm affraid, but logs are activated in debug mode :
>>>>
>>>> debug = 7 output = /log/2.log
>>>>
>>>> I'll try with 5.26 and a simplest configuration
>>>>
>>>> Thank you
>>>>
>>>> 2015-12-02 13:20 GMT+01:00 Michal Trojnara
>>>> <Michal.Trojnara at mirt.net>:
>>> Hi Mehdi B.,
>>
>>> You have forgotten to include the most important parts of the log
>>> files, which are the logs of an actual attempted connection. We
>>> cannot see the certificate verification logs without it. Of
>>> course the initialization logs are also useful.
>>
>>> CRL verification was rewritten from scratch in stunnel 5.24, so
>>> please use stunnel 5.26 for testing.
>>
>>> Try to simplify your configuration as much as possible: 1. Get
>>> rid of chroot/setuid/setgid 2. Replace CApath with CAfile. 3.
>>> Replace CRLpath with CRLfile.
>>
>>> Once you get the most basic configuration working, you can re-add
>>> advanced features one-by-one to see which one causes the
>>> problem.
>>
>>> Mike
>>
>>> On 02.12.2015 12:30, Mehdi B. wrote:
>>>>>>> Hello everybody
>>>>>>>
>>>>>>> I am using stunnel in server mode with mutual
>>>>>>> authentication. Auth is ok, but the crl didn't work, and
>>>>>>> I need it in production next week.... I do many tries
>>>>>>> with CRLpath/CRLfile, with my production version (5.08),
>>>>>>> the last one (5.26)
>>>>>>>
>>>>>>> Same result. With a revoked certificate, my client
>>>>>>> connect on the server.
>>>>>>>
>>>>>>> Do you have some idea? Or maybe found my mistake?
>>>>>>>
>>>>>>>
>>>>>>> If you need something else please contact me.
>>>>>>>
>>>>>>> Stunnel 1 is the server. Stunnel 1 certificate is
>>>>>>> revoked
>>>>>>>
>>>>>>>
>>>>>>> ** Configuration **
>>>>>>>
>>>>>>>
>>>>>>> *** root at auditd:/var/lib/stunnel/2/ca# cat
>>>>>>> /etc/stunnel/1.conf *** ; * Global options *
>>>>>>>
>>>>>>> chroot = /var/lib/stunnel/1/
>>>>>>>
>>>>>>> ; Chroot jail can be escaped if setuid option is not
>>>>>>> used setuid = stunnel5 setgid = stunnel5
>>>>>>>
>>>>>>> pid = /pid/1.pid
>>>>>>>
>>>>>>> ;debug = 0 debug = 7 output = /log/1.log
>>>>>>>
>>>>>>> ;foreground = yes
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> options = NO_SSLv2 options = NO_SSLv3 options =
>>>>>>> DONT_INSERT_EMPTY_FRAGMENTS
>>>>>>>
>>>>>>> [1] verify = 2
>>>>>>>
>>>>>>> CAFile = /root/CA/CA.cert
>>>>>>>
>>>>>>> cert = /root/CA/1.cert key = /root/CA/1.key
>>>>>>>
>>>>>>> client = no accept = 127.0.0.1:59062 connect =
>>>>>>> 127.0.0.1:22 ciphers = ECDHE-RSA-AES256-GCM-SHA384
>>>>>>> sslVersion = TLSv1.2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *** root at auditd:/var/lib/stunnel/2/ca# cat
>>>>>>> /etc/stunnel/2.conf *** ; * Global options *
>>>>>>>
>>>>>>> chroot = /var/lib/stunnel/2/
>>>>>>>
>>>>>>> ; Chroot jail can be escaped if setuid option is not
>>>>>>> used setuid = stunnel5 setgid = stunnel5
>>>>>>>
>>>>>>> pid = /pid/2.pid
>>>>>>>
>>>>>>> ;debug = 0 debug = 7 output = /log/2.log
>>>>>>>
>>>>>>> ;foreground = yes
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> options = NO_SSLv2 options = NO_SSLv3 options =
>>>>>>> DONT_INSERT_EMPTY_FRAGMENTS
>>>>>>>
>>>>>>> [2] verify = 2
>>>>>>>
>>>>>>> ;CRLfile = /var/lib/stunnel/2/CA.crl.pem ;CAFile =
>>>>>>> /var/lib/stunnel/2/CA.pem
>>>>>>>
>>>>>>> CRLpath = /crl/ CApath = /ca/
>>>>>>>
>>>>>>> cert = /var/lib/stunnel/2/2.cert key =
>>>>>>> /var/lib/stunnel/2/2.key
>>>>>>>
>>>>>>> client = yes accept = 127.0.0.1:23 connect =
>>>>>>> 127.0.0.1:59062 ciphers = ECDHE-RSA-AES256-GCM-SHA384
>>>>>>> sslVersion = TLSv1.2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ** Logs **
>>>>>>>
>>>>>>> ==> /var/lib/stunnel/1/log/1.log <== 2015.12.02 12:11:46
>>>>>>> LOG7[25595]: Clients allowed=500 2015.12.02 12:11:46
>>>>>>> LOG5[25595]: stunnel 5.08 on x86_64-unknown-linux-gnu
>>>>>>> platform 2015.12.02 12:11:46 LOG5[25595]:
>>>>>>> Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
>>>>>>> 2015.12.02 12:11:46 LOG5[25595]: Threading:PTHREAD
>>>>>>> Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
>>>>>>> 2015.12.02 12:11:46 LOG7[25595]: errno:
>>>>>>> (*__errno_location ()) 2015.12.02 12:11:46 LOG5[25595]:
>>>>>>> Reading configuration from file /etc/stunnel/1.conf
>>>>>>> 2015.12.02 12:11:46 LOG5[25595]: UTF-8 byte order mark
>>>>>>> not detected 2015.12.02 12:11:46 LOG5[25595]: FIPS mode
>>>>>>> disabled 2015.12.02 12:11:46 LOG7[25595]: Compression
>>>>>>> disabled 2015.12.02 12:11:46 LOG7[25595]: Snagged 64
>>>>>>> random bytes from /root/.rnd 2015.12.02 12:11:46
>>>>>>> LOG7[25595]: Wrote 1024 new random bytes to /root/.rnd
>>>>>>> 2015.12.02 12:11:46 LOG7[25595]: PRNG seeded successfully
>>>>>>> 2015.12.02 12:11:46 LOG6[25595]: Initializing service [1]
>>>>>>> 2015.12.02 12:11:46 LOG6[25595]: Loading cert from file:
>>>>>>> /root/CA/1.cert 2015.12.02 12:11:46 LOG6[25595]: Loading
>>>>>>> key from file: /root/CA/1.key 2015.12.02 12:11:46
>>>>>>> LOG7[25595]: Private key check succeeded 2015.12.02
>>>>>>> 12:11:46 LOG7[25595]: Loaded /root/CA/CA.cert revocation
>>>>>>> lookup file 2015.12.02 12:11:46 LOG7[25595]: Client CA
>>>>>>> list: /root/CA/CA.cert 2015.12.02 12:11:46 LOG6[25595]:
>>>>>>> Client CA: C=FR, ST=Some-State, O=Internet Widgits Pty
>>>>>>> Ltd 2015.12.02 12:11:46 LOG7[25595]: DH initialization
>>>>>>> 2015.12.02 12:11:46 LOG7[25595]: Could not load DH
>>>>>>> parameters from /root/CA/1.cert 2015.12.02 12:11:46
>>>>>>> LOG7[25595]: Using hardcoded DH parameters 2015.12.02
>>>>>>> 12:11:46 LOG7[25595]: DH initialized with 2048-bit key
>>>>>>> 2015.12.02 12:11:46 LOG7[25595]: ECDH initialization
>>>>>>> 2015.12.02 12:11:46 LOG7[25595]: ECDH initialized with
>>>>>>> curve prime256v1 2015.12.02 12:11:46 LOG7[25595]: SSL
>>>>>>> options: 0x03000804 (+0x03000800, -0x00000000) 2015.12.02
>>>>>>> 12:11:46 LOG5[25595]: Configuration successful 2015.12.02
>>>>>>> 12:11:46 LOG7[25595]: Listening file descriptor created
>>>>>>> (FD=6) 2015.12.02 12:11:46 LOG7[25595]: Service [1]
>>>>>>> (FD=6) bound to 127.0.0.1:59062 2015.12.02 12:11:46
>>>>>>> LOG7[25596]: Created pid file /pid/1.pid
>>>>>>>
>>>>>>> ==> /var/lib/stunnel/2/log/2.log <== 2015.12.02 12:11:46
>>>>>>> LOG7[25604]: Clients allowed=500 2015.12.02 12:11:46
>>>>>>> LOG5[25604]: stunnel 5.08 on x86_64-unknown-linux-gnu
>>>>>>> platform 2015.12.02 12:11:46 LOG5[25604]:
>>>>>>> Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
>>>>>>> 2015.12.02 12:11:46 LOG5[25604]: Threading:PTHREAD
>>>>>>> Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
>>>>>>> 2015.12.02 12:11:46 LOG7[25604]: errno:
>>>>>>> (*__errno_location ()) 2015.12.02 12:11:46 LOG5[25604]:
>>>>>>> Reading configuration from file /etc/stunnel/2.conf
>>>>>>> 2015.12.02 12:11:46 LOG5[25604]: UTF-8 byte order mark
>>>>>>> not detected 2015.12.02 12:11:46 LOG5[25604]: FIPS mode
>>>>>>> disabled 2015.12.02 12:11:46 LOG7[25604]: Compression
>>>>>>> disabled 2015.12.02 12:11:46 LOG7[25604]: Snagged 64
>>>>>>> random bytes from /root/.rnd 2015.12.02 12:11:46
>>>>>>> LOG7[25604]: Wrote 1024 new random bytes to /root/.rnd
>>>>>>> 2015.12.02 12:11:46 LOG7[25604]: PRNG seeded successfully
>>>>>>> 2015.12.02 12:11:46 LOG6[25604]: Initializing service [2]
>>>>>>> 2015.12.02 12:11:46 LOG6[25604]: Loading cert from file:
>>>>>>> /var/lib/stunnel/2/2.cert 2015.12.02 12:11:46
>>>>>>> LOG6[25604]: Loading key from file:
>>>>>>> /var/lib/stunnel/2/2.key 2015.12.02 12:11:46
>>>>>>> LOG7[25604]: Private key check succeeded 2015.12.02
>>>>>>> 12:11:46 LOG7[25604]: Verify directory set to /ca/
>>>>>>> 2015.12.02 12:11:46 LOG7[25604]: Added /ca/ revocation
>>>>>>> lookup directory 2015.12.02 12:11:46 LOG7[25604]: Added
>>>>>>> /crl/ revocation lookup directory 2015.12.02 12:11:46
>>>>>>> LOG7[25604]: SSL options: 0x03000804 (+0x03000800,
>>>>>>> -0x00000000) 2015.12.02 12:11:46 LOG5[25604]:
>>>>>>> Configuration successful 2015.12.02 12:11:46 LOG7[25604]:
>>>>>>> Listening file descriptor created (FD=6) 2015.12.02
>>>>>>> 12:11:46 LOG7[25604]: Service [2] (FD=6) bound to
>>>>>>> 127.0.0.1:23 2015.12.02 12:11:46 LOG7[25605]: Created pid
>>>>>>> file /pid/2.pid
>>>>>>>
>>>>>>>
>>>>>>> ** ls **
>>>>>>>
>>>>>>> root at auditd:/var/lib/stunnel/2/ca# ll total 4 lrwxrwxrwx
>>>>>>> 1 root root 6 Dec 2 12:05 1a870aad.0 -> CA.pem
>>>>>>> lrwxrwxrwx 1 root root 6 Dec 2 12:05 aeb35906.0 ->
>>>>>>> CA.pem -rw-r----- 1 stunnel5 root 1919 Dec 1 16:55
>>>>>>> CA.pem root at auditd:/var/lib/stunnel/2/ca# ll ../crl/
>>>>>>> total 4 lrwxrwxrwx 1 root root 10 Dec 2 12:04
>>>>>>> aeb35906.r0 -> CA.crl.pem -rw-r----- 1 stunnel5 root 1129
>>>>>>> Dec 2 11:42 CA.crl.pem
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ** check openssl **
>>>>>>>
>>>>>>> root at auditd:~/stunnel-5.26# openssl verify -crl_check
>>>>>>> -CAfile /var/lib/stunnel/2/ca/aeb35906.0 -CRLfile
>>>>>>> /var/lib/stunnel/2/crl/aeb35906.r0 /root/CA/1.cert
>>>>>>> /root/CA/1.cert: C = FR, ST = FR, O = PLOP, CN = 1 error
>>>>>>> 23 at 0 depth lookup:certificate revoked
>>>>>>>
>>>>>>>
>>>>>>> ** other :**
>>>>>>>
>>>>>>> root at auditd:~/CA# openssl crl -in
>>>>>>> /opt/syslog-ng/etc/crl/1a870aad.r0 -text Certificate
>>>>>>> Revocation List (CRL): Version 2 (0x1) Signature
>>>>>>> Algorithm: sha256WithRSAEncryption Issuer:
>>>>>>> /C=FR/ST=Some-State/O=Internet Widgits Pty Ltd Last
>>>>>>> Update: Dec 2 09:04:38 2015 GMT Next Update: Jan 1
>>>>>>> 09:04:38 2016 GMT CRL extensions: X509v3 CRL Number: 2
>>>>>>> Revoked Certificates: Serial Number: 01 Revocation Date:
>>>>>>> Dec 1 14:46:38 2015 GMT Serial Number: 02 Revocation
>>>>>>> Date: Dec 2 09:04:29 2015 GMT Serial Number: 03
>>>>>>> Revocation Date: Dec 2 07:25:34 2015 GMT Serial Number:
>>>>>>> 04 Revocation Date: Dec 2 07:27:45 2015 GMT Serial
>>>>>>> Number: 05 Revocation Date: Dec 2 07:32:21 2015 GMT
>>>>>>> Serial Number: 06 Revocation Date: Dec 2 08:21:48 2015
>>>>>>> GMT Signature Algorithm: sha256WithRSAEncryption
>>>>>>> 16:24:d4:f8:77:82:7b:ca:70:1a:01:26:5f:83:9f:13:6f:51:
>>>>>>> 67:85:b0:2c:a7:25:c1:46:66:ca:b8:46:74:85:4a:ca:26:2b:
>>>>>>> ff:46:e7:91:a3:10:09:ce:6b:84:1d:58:a1:4a:1c:38:ac:1a:
>>>>>>> 58:fc:50:0a:7a:1e:1c:5c:f9:2b:ef:25:7a:93:27:b3:5e:65:
>>>>>>> d6:66:89:33:23:52:fd:0d:38:7e:66:d6:74:d7:e4:b2:72:d8:
>>>>>>> 74:49:73:d3:2a:b5:e0:23:8a:03:b5:c6:ce:2a:f4:03:ef:8c:
>>>>>>> 50:83:be:9f:68:04:47:79:ff:5d:4b:cb:8a:cd:3c:6a:5f:02:
>>>>>>> 33:e6:61:86:ff:4c:f3:74:2c:81:70:c1:13:05:43:54:1a:04:
>>>>>>> a0:7b:df:fe:f8:e5:50:53:ce:2c:04:86:36:ed:0a:98:24:72:
>>>>>>> 5e:68:1a:23:7f:8e:85:5c:2c:2b:7b:df:23:56:fe:2f:c7:da:
>>>>>>> ec:ca:8f:48:a0:29:15:72:38:e3:ff:48:1e:89:30:b1:72:1b:
>>>>>>> 21:3f:0b:e0:ad:eb:89:c3:65:70:cc:29:03:f0:6e:73:be:c8:
>>>>>>> 24:64:93:b8:7b:af:21:a0:67:24:5a:be:e8:b0:ec:e0:a1:5f:
>>>>>>> 0c:a9:e5:de:09:39:08:23:60:d9:d9:4e:07:a2:f2:1e:4f:96:
>>>>>>> 0c:b7:c6:bb:5b:2a:e3:78:92:2e:fa:39:9c:ae:d4:4c:b2:b2:
>>>>>>> e3:7f:2a:58:14:86:80:97:fd:5e:95:b1:9d:d6:23:3d:cc:ce:
>>>>>>> 2b:0b:65:b2:43:f5:15:fb:20:2c:72:8f:fd:62:7d:7f:54:80:
>>>>>>> 54:22:22:42:15:7b:27:18:2f:24:70:81:ca:44:cc:c4:d8:9c:
>>>>>>> d8:99:69:f2:fd:4a:7f:3e:11:57:91:25:d8:6f:42:ae:b0:d5:
>>>>>>> bc:fd:cd:0b:9b:a5:c2:f6:d0:ce:8b:e3:66:7b:78:03:90:a6:
>>>>>>> ca:44:f9:e1:cb:80:70:2e:db:b0:3c:d1:fc:5a:d8:f5:fd:c6:
>>>>>>> 44:5f:4f:19:f5:da:13:a5:2f:11:f3:db:73:22:a1:98:83:b0:
>>>>>>> 44:0d:2b:59:2f:3a:54:fb:00:a0:8f:1b:19:2b:c0:3c:9d:fb:
>>>>>>> f0:80:50:9a:9e:7b:b6:46:84:d3:df:b2:36:6b:d2:97:53:f9:
>>>>>>> da:1e:8c:7a:e8:40:15:17:3b:17:b7:c6:0d:e0:64:e4:68:96:
>>>>>>> 11:43:d2:d8:d4:f8:1b:7b:44:15:29:d9:ca:e5:3a:97:b6:b4:
>>>>>>> c6:b9:2b:c2:8a:6d:47:62:75:33:a1:dd:e9:93:28:eb:82:00:
>>>>>>> 8d:ef:0d:b6:17:72:a6:59:95:4c:97:fa:47:a8:ff:27:60:dd:
>>>>>>> c1:6e:6a:62:dc:1b:a8:e7 -----BEGIN X509 CRL-----
>>>>>>> MIIDGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCRlIxEzARBgNV
>>>>>>>
>>>>>>>
>>
>>>>>>>
> BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
>>>>>>> ZBcNMTUxMjAyMDkwNDM4WhcNMTYwMTAxMDkwNDM4WjB4MBICAQEXDTE1MTIwMTE0
>>>>>>>
>>>>>>>
>>
>>>>>>>
> NDYzOFowEgIBAhcNMTUxMjAyMDkwNDI5WjASAgEDFw0xNTEyMDIwNzI1MzRaMBIC
>>>>>>> AQQXDTE1MTIwMjA3Mjc0NVowEgIBBRcNMTUxMjAyMDczMjIxWjASAgEGFw0xNTEy
>>>>>>>
>>>>>>>
>>
>>>>>>>
> MDIwODIxNDhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAgEAFiTU
>>>>>>> +HeCe8pwGgEmX4OfE29RZ4WwLKclwUZmyrhGdIVKyiYr/0bnkaMQCc5rhB1YoUoc
>>>>>>>
>>>>>>>
>>
>>>>>>>
> OKwaWPxQCnoeHFz5K+8lepMns15l1maJMyNS/Q04fmbWdNfksnLYdElz0yq14COK
>>>>>>> A7XGzir0A++MUIO+n2gER3n/XUvLis08al8CM+Zhhv9M83QsgXDBEwVDVBoEoHvf
>>>>>>>
>>>>>>>
>>
>>>>>>>
> /vjlUFPOLASGNu0KmCRyXmgaI3+OhVwsK3vfI1b+L8fa7MqPSKApFXI44/9IHokw
>>>>>>> sXIbIT8L4K3ricNlcMwpA/Buc77IJGSTuHuvIaBnJFq+6LDs4KFfDKnl3gk5CCNg
>>>>>>>
>>>>>>>
>>
>>>>>>>
> 2dlOB6LyHk+WDLfGu1sq43iSLvo5nK7UTLKy438qWBSGgJf9XpWxndYjPczOKwtl
>>>>>>> skP1FfsgLHKP/WJ9f1SAVCIiQhV7JxgvJHCBykTMxNic2Jlp8v1Kfz4RV5El2G9C
>>>>>>>
>>>>>>>
>>
>>>>>>>
> rrDVvP3NC5ulwvbQzovjZnt4A5CmykT54cuAcC7bsDzR/FrY9f3GRF9PGfXaE6Uv
>>>>>>> EfPbcyKhmIOwRA0rWS86VPsAoI8bGSvAPJ378IBQmp57tkaE09+yNmvSl1P52h6M
>>>>>>>
>>>>>>>
>>
>>>>>>>
> euhAFRc7F7fGDeBk5GiWEUPS2NT4G3tEFSnZyuU6l7a0xrkrwoptR2J1M6Hd6ZMo
>>>>>>> 64IAje8NthdyplmVTJf6R6j/J2DdwW5qYtwbqOc= -----END X509
>>>>>>> CRL-----
>>>>>>>
>>>>>>> root at auditd:~/CA# openssl x509 -in
>>>>>>> /opt/syslog-ng/etc/cert.d/1.cert -text Certificate:
>>>>>>> Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature
>>>>>>> Algorithm: sha256WithRSAEncryption Issuer: C=FR,
>>>>>>> ST=Some-State, O=Internet Widgits Pty Ltd Validity Not
>>>>>>> Before: Dec 2 07:32:36 2015 GMT Not After : Nov 29
>>>>>>> 07:32:36 2025 GMT Subject: C=FR, ST=FR, O=PLOP, CN=1
>>>>>>> Subject Public Key Info: Public Key Algorithm:
>>>>>>> rsaEncryption Public-Key: (4096 bit) Modulus:
>>>>>>> 00:ae:2a:9e:a6:6f:54:eb:f7:1f:7f:d6:67:b5:68:
>>>>>>> 11:9d:a8:79:93:78:e8:b6:48:f6:64:7e:e5:bf:72:
>>>>>>> 33:61:6f:4a:e9:c0:25:f6:61:47:de:f7:a3:5d:3d:
>>>>>>> da:fa:2d:97:08:20:5b:b1:a9:10:2b:50:18:ca:40:
>>>>>>> ea:16:f8:3d:a5:5e:cc:18:d4:80:30:62:cc:4c:b7:
>>>>>>> 2b:99:9e:6a:3a:09:97:2b:1d:79:36:d2:53:7a:8d:
>>>>>>> 96:4f:20:c0:f3:ac:e9:01:d1:a0:d7:00:37:83:1f:
>>>>>>> 64:ee:df:4f:27:61:a2:5f:94:66:be:35:58:9e:52:
>>>>>>> a0:91:0a:00:57:13:d5:b4:b3:90:10:8c:42:4f:34:
>>>>>>> 69:3f:9c:1b:7d:9b:ae:eb:79:8d:d9:9d:2c:3c:74:
>>>>>>> 58:c2:ba:a5:34:e5:15:01:45:d3:47:85:82:eb:34:
>>>>>>> b2:21:ba:97:2b:4e:90:92:4f:85:19:c7:b0:7f:cd:
>>>>>>> 8c:49:08:4e:32:d0:9e:34:af:b9:02:aa:40:2e:af:
>>>>>>> f5:6b:41:92:9f:5a:ab:09:b5:bd:7a:73:fe:4d:f4:
>>>>>>> 1b:c6:23:22:15:7c:b5:47:e1:88:bd:8a:b7:d7:1b:
>>>>>>> 5e:4a:53:f9:41:33:e9:30:97:ce:9b:b4:88:77:f6:
>>>>>>> 35:9c:47:a7:12:5d:98:9e:e4:1c:27:bf:bd:e5:85:
>>>>>>> b1:c1:1f:dc:17:03:c0:00:9f:0b:d8:40:c3:1c:31:
>>>>>>> f3:9b:60:17:05:0d:ac:79:9e:53:2b:aa:da:78:e7:
>>>>>>> f4:a8:3e:f9:14:f1:40:1f:47:df:45:c7:57:14:3d:
>>>>>>> 26:68:9c:a7:77:da:29:50:85:1c:e3:62:e6:66:f0:
>>>>>>> 5e:59:6f:35:61:32:e4:a8:7d:a1:30:b5:85:69:0e:
>>>>>>> e3:fd:8e:67:78:c3:47:58:5d:88:36:65:85:09:52:
>>>>>>> 46:47:bb:48:03:9c:e5:42:48:66:7d:34:7d:01:9c:
>>>>>>> 67:ea:82:f0:d5:4e:9b:64:0c:c6:db:1c:0d:2a:de:
>>>>>>> 67:ba:a5:04:44:4a:fc:12:94:77:b0:30:fc:d0:06:
>>>>>>> 26:d4:e8:94:ed:a1:78:4d:cd:fa:8b:a4:4e:45:fc:
>>>>>>> cf:2b:d8:47:11:e0:68:e0:78:36:34:4f:76:5c:76:
>>>>>>> 4b:69:02:4c:22:47:57:10:92:ce:b9:d8:20:7e:80:
>>>>>>> 80:a7:ca:55:7c:41:a4:0a:0e:08:e0:86:e2:63:9f:
>>>>>>> e4:f6:e0:13:fd:67:7a:14:f7:e2:fe:6e:14:2a:ba:
>>>>>>> 80:e1:29:0d:7c:5a:36:91:60:ae:9b:14:6f:1e:2d:
>>>>>>> 40:b9:28:03:e5:d6:f8:f4:64:6d:ca:8b:1d:38:48:
>>>>>>> 30:92:fa:6f:75:c9:7a:62:61:47:0e:32:3e:e5:7e: 0a:3b:d5
>>>>>>> Exponent: 65537 (0x10001) X509v3 extensions: X509v3
>>>>>>> Basic Constraints: CA:FALSE Netscape Comment: OpenSSL
>>>>>>> Generated Certificate X509v3 Subject Key Identifier:
>>>>>>> 33:1A:1E:42:87:07:1F:05:83:C6:14:DE:5D:BC:90:89:8C:10:39:44
>>>>>>>
>>>>>>>
> X509v3 Authority Key Identifier:
>>>>>>>
>>>>>>> keyid:C0:B7:97:89:CD:42:1E:6A:FB:7D:AE:3B:1E:A1:30:7E:94:FA:FB:35
>>>>>>>
>>>>>>>
>>>>>>>
>>
>>>>>>>
> X509v3 CRL Distribution Points:
>>>>>>>
>>>>>>> Full Name: URI:https://deb.plop.net/ssl/
>>>>>>>
>>>>>>> Signature Algorithm: sha256WithRSAEncryption
>>>>>>> ad:d7:d0:1f:d1:f2:10:88:d4:4c:5e:fe:80:88:96:35:55:26:
>>>>>>> 12:8d:1f:1f:38:d2:36:6e:75:00:37:e8:45:28:eb:c3:b5:e7:
>>>>>>> 71:90:91:5a:96:2d:b6:3e:5b:c0:45:84:e5:dc:07:65:63:54:
>>>>>>> b1:06:4b:6a:ee:63:80:54:63:4c:72:1a:2f:eb:00:7c:36:0b:
>>>>>>> 18:22:3a:d2:90:e6:3f:69:9a:cf:b7:50:72:19:f6:3d:d5:19:
>>>>>>> fa:2a:46:09:cf:86:f7:12:0e:2c:4a:59:6c:26:45:2b:52:90:
>>>>>>> 72:55:a9:7d:16:27:db:ba:19:cb:c8:96:4c:e1:42:79:6b:ab:
>>>>>>> f9:87:97:43:e0:d1:71:2d:ef:fc:c9:f0:02:b1:7d:6c:59:ef:
>>>>>>> fd:00:76:4b:a7:f9:9c:1a:05:90:5b:df:2e:35:52:c7:79:f9:
>>>>>>> f3:31:d5:3f:60:2a:93:78:48:19:3b:53:43:ed:ee:f0:39:c8:
>>>>>>> fa:88:b8:7e:b0:5e:ce:73:c2:b2:c2:da:95:39:d9:1e:b7:02:
>>>>>>> d7:98:20:31:d2:91:c2:c9:61:45:cd:9b:f1:54:3d:17:df:96:
>>>>>>> 09:3d:11:96:b4:97:2a:9f:e8:9e:77:d4:1b:67:d9:a1:9d:1e:
>>>>>>> b8:d9:58:3a:b4:26:24:23:d5:a0:d6:52:78:1d:2f:d9:ce:f4:
>>>>>>> 41:66:82:7c:56:d9:df:a0:08:cb:b4:ae:2a:79:16:bf:91:09:
>>>>>>> 46:be:35:17:44:73:7b:48:e0:3e:f4:03:45:a7:36:3e:8e:8e:
>>>>>>> 58:7c:02:a9:c7:9d:22:98:bc:d3:05:90:81:39:d6:00:09:a4:
>>>>>>> 33:58:0f:57:b9:a5:e2:d0:3f:e4:ad:4e:47:a4:af:98:b6:d0:
>>>>>>> 49:f0:f9:d5:9b:b1:18:c6:fb:7d:3d:18:6c:90:62:1f:cb:c9:
>>>>>>> 97:00:92:57:29:32:1d:be:02:61:af:1f:17:48:eb:6a:b0:a2:
>>>>>>> f4:96:e1:0f:24:63:11:c7:66:2f:bc:7e:c2:e0:fd:25:3c:ac:
>>>>>>> 83:5b:05:35:b3:45:64:8e:93:21:3d:ed:1c:95:ae:24:55:98:
>>>>>>> 07:5f:99:71:28:8e:01:5d:94:16:62:03:a1:63:1f:08:88:6f:
>>>>>>> 9b:0b:db:43:21:31:4a:08:a2:a2:f6:af:7a:b3:20:94:5f:7d:
>>>>>>> 2f:53:3a:20:ea:08:5f:db:38:89:24:83:bd:9c:a0:78:ea:68:
>>>>>>> cd:39:47:b8:b6:f3:f4:bb:14:cc:e8:d0:24:59:7e:fc:0f:05:
>>>>>>> e9:73:18:5b:5d:31:0b:d2:e0:17:0f:ff:0d:b8:39:54:32:42:
>>>>>>> a2:07:b3:d3:53:5c:89:f7:b4:c3:44:60:7e:0c:5f:d1:80:e8:
>>>>>>> d2:6b:89:8d:1f:a9:79:7b -----BEGIN CERTIFICATE-----
>>>>>>> MIIFnDCCA4SgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJGUjET
>>>>>>>
>>>>>>>
>>
>>>>>>>
> MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
>>>>>>> dHkgTHRkMB4XDTE1MTIwMjA3MzIzNloXDTI1MTEyOTA3MzIzNlowNDELMAkGA1UE
>>>>>>>
>>>>>>>
>>
>>>>>>>
> BhMCRlIxCzAJBgNVBAgMAkZSMQwwCgYDVQQKDANPVkgxCjAIBgNVBAMMATEwggIi
>>>>>>> MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuKp6mb1Tr9x9/1me1aBGdqHmT
>>>>>>>
>>>>>>>
>>
>>>>>>>
> eOi2SPZkfuW/cjNhb0rpwCX2YUfe96NdPdr6LZcIIFuxqRArUBjKQOoW+D2lXswY
>>>>>>> 1IAwYsxMtyuZnmo6CZcrHXk20lN6jZZPIMDzrOkB0aDXADeDH2Tu308nYaJflGa+
>>>>>>>
>>>>>>>
>>
>>>>>>>
> NVieUqCRCgBXE9W0s5AQjEJPNGk/nBt9m67reY3ZnSw8dFjCuqU05RUBRdNHhYLr
>>>>>>> NLIhupcrTpCST4UZx7B/zYxJCE4y0J40r7kCqkAur/VrQZKfWqsJtb16c/5N9BvG
>>>>>>>
>>>>>>>
>>
>>>>>>>
> IyIVfLVH4Yi9irfXG15KU/lBM+kwl86btIh39jWcR6cSXZie5Bwnv73lhbHBH9wX
>>>>>>> A8AAnwvYQMMcMfObYBcFDax5nlMrqtp45/SoPvkU8UAfR99Fx1cUPSZonKd32ilQ
>>>>>>>
>>>>>>>
>>
>>>>>>>
> hRzjYuZm8F5ZbzVhMuSofaEwtYVpDuP9jmd4w0dYXYg2ZYUJUkZHu0gDnOVCSGZ9
>>>>>>> NH0BnGfqgvDVTptkDMbbHA0q3me6pQRESvwSlHewMPzQBibU6JTtoXhNzfqLpE5F
>>>>>>>
>>>>>>>
>>
>>>>>>>
> /M8r2EcR4GjgeDY0T3ZcdktpAkwiR1cQks652CB+gICnylV8QaQKDgjghuJjn+T2
>>>>>>> 4BP9Z3oU9+L+bhQquoDhKQ18WjaRYK6bFG8eLUC5KAPl1vj0ZG3Kix04SDCS+m91
>>>>>>>
>>>>>>>
>>
>>>>>>>
> yXpiYUcOMj7lfgo71QIDAQABo4GnMIGkMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
>>>>>>> BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQzGh5C
>>>>>>>
>>>>>>>
>>
>>>>>>>
> hwcfBYPGFN5dvJCJjBA5RDAfBgNVHSMEGDAWgBTAt5eJzUIeavt9rjseoTB+lPr7
>>>>>>> NTApBgNVHR8EIjAgMB6gHKAahhhodHRwczovL2RlYi5vdmgubmV0L3NzbC8wDQYJ
>>>>>>>
>>>>>>>
>>
>>>>>>>
> KoZIhvcNAQELBQADggIBAK3X0B/R8hCI1Exe/oCIljVVJhKNHx840jZudQA36EUo
>>>>>>> 68O153GQkVqWLbY+W8BFhOXcB2VjVLEGS2ruY4BUY0xyGi/rAHw2CxgiOtKQ5j9p
>>>>>>>
>>>>>>>
>>
>>>>>>>
> ms+3UHIZ9j3VGfoqRgnPhvcSDixKWWwmRStSkHJVqX0WJ9u6GcvIlkzhQnlrq/mH
>>>>>>> l0Pg0XEt7/zJ8AKxfWxZ7/0Adkun+ZwaBZBb3y41Usd5+fMx1T9gKpN4SBk7U0Pt
>>>>>>>
>>>>>>>
>>
>>>>>>>
> 7vA5yPqIuH6wXs5zwrLC2pU52R63AteYIDHSkcLJYUXNm/FUPRfflgk9EZa0lyqf
>>>>>>> 6J531Btn2aGdHrjZWDq0JiQj1aDWUngdL9nO9EFmgnxW2d+gCMu0rip5Fr+RCUa+
>>>>>>>
>>>>>>>
>>
>>>>>>>
> NRdEc3tI4D70A0WnNj6Ojlh8AqnHnSKYvNMFkIE51gAJpDNYD1e5peLQP+StTkek
>>>>>>> r5i20Enw+dWbsRjG+309GGyQYh/LyZcAklcpMh2+AmGvHxdI62qwovSW4Q8kYxHH
>>>>>>>
>>>>>>>
>>
>>>>>>>
> Zi+8fsLg/SU8rINbBTWzRWSOkyE97RyVriRVmAdfmXEojgFdlBZiA6FjHwiIb5sL
>>>>>>> 20MhMUoIoqL2r3qzIJRffS9TOiDqCF/bOIkkg72coHjqaM05R7i28/S7FMzo0CRZ
>>>>>>>
>>>>>>>
>>
>>>>>>>
> fvwPBelzGFtdMQvS4BcP/w24OVQyQqIHs9NTXIn3tMNEYH4MX9GA6NJriY0fqXl7
>>>>>>> -----END CERTIFICATE-----
>>>>>>> _______________________________________________
>>>>>>> stunnel-users mailing list stunnel-users at stunnel.org
>>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>>
>>>>>
>>>>>>>
>>
>>>>>>>
> _______________________________________________
>>>>> stunnel-users mailing list stunnel-users at stunnel.org
>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWXvQyAAoJEC78f/DUFuAUd0YP/2OJ0rzsSJETkceYlOFCzqdz
> +hHZnYj0QFVjCBuecyzxIK904LV5660u7TrZRJujid98WMfOiFZWJFFmOcOItale
> LLENbI2LfM+T0QAr7BiIYMjgQIm0ONz/odabKl0Le6blXr0mIcyQMpM5OEfn0diP
> gcSxQO51tCtFoXZP0z9yvfWznioSaiaiRrBezPqXRRPiBqVzHzkdD+xDHLEaqS9J
> sRvm4sHlXCHMn1BaijZqaqHYKbxlNoDbxcvFxz8NmVthw0/g3uaX48cRUllSLeCu
> /Jm9tn7rvC5JXdg+uVSQQkwTSlAvmV0t5I01C1Akr6Sf/4nnYri738PCMwqZ9baY
> wT6tXBxHZDA4W5rtVTRGRMpx3gI3AH8ec5wbMvZiIfZZsGuIKzBcN8YnaHeE5YPj
> 8jIFtyVqNwg+pZifkIFLhCCjur0hyGS2gRiIlpCKBH/BZRazVDQA0XathYZVBykf
> IbJ1Cvf8oMuCZ2p5yiL7hiW78lSi2S5lhPWtAzSoZtjqouJyY6ipH/B35sBFeR5G
> QWMEOnSH89U24ztXm/+EBoCGfsvKLsGQITnB9XLjQRUbjaHSfbT5y3FbaYt4LbhD
> /Hq0/ECasrAscPBewo8OFgcJyWEBFBK6t8FqFgQu33LsQOtEh390XVRK/smYUAdG
> iSshl1AJJTl36JaCALXE
> =buSC
> -----END PGP SIGNATURE-----
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
More information about the stunnel-users
mailing list