[stunnel-users] Verify = 4 Fails Yet Again

Michal Trojnara Michal.Trojnara at mirt.net
Fri Oct 25 07:17:07 CEST 2013


On 2013-10-25 00:33, Thomas Eifert wrote:
> Here's my own test configuration:
>
> debug = 7
> fips = no
> delay = yes
> output = stunnel.log
>
> [nntps.6]
> client = yes
> cafile = peer-nntps.6.pem
> verify = 4
> accept = 127.0.0.1:119
> connect = news80.forteinc.com:443

Now I could reproduce it and the solution was trivial: your news80 host
was configured to use a different (older) certificate.

$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null |
openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO High-Assurance Secure Server CA
        Validity
            Not Before: May  2 00:00:00 2011 GMT
            Not After : Jul  9 23:59:59 2013 GMT
        Subject: C=US/postalCode=92026, ST=California,
L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software,
Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, CN=*.forteinc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
                    85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
                    0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
                    42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
                    d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
                    6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
                    0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
                    64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
                    73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
                    6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
                    6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
                    83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
                    45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
                    2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
                    af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
                    3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
                    4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
                    1a:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
               
keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B

            X509v3 Subject Key Identifier:
                C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
                  CPS: https://secure.comodo.com/CPS

            X509v3 CRL Distribution Points:

                Full Name:
                 
URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl

            Authority Information Access:
                CA Issuers -
URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:*.forteinc.com, DNS:forteinc.com
    Signature Algorithm: sha1WithRSAEncryption
         a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62:
         b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd:
         bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa:
         5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55:
         6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d:
         f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57:
         61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44:
         21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73:
         4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd:
         54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d:
         e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf:
         bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c:
         53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a:
         7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a:
         5e:70:c3:2b
-----BEGIN CERTIFICATE-----
MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k
aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y
dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl
cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG
A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT
yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL
0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q
E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5
o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx
RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/
1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4
SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI
MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz
dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB
BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh
bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j
b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M
TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V
bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5
yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg
SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc
U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw==
-----END CERTIFICATE-----

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131025/f1bd2346/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131025/f1bd2346/attachment-0001.sig>


More information about the stunnel-users mailing list