[stunnel-users] Verify = 4 Fails Yet Again

Thomas Eifert kxkvi at wi.rr.com
Fri Oct 25 08:19:07 CEST 2013


Mike,

Thanks for the follow-up.

I'm unable to access the expired certificate.  I'm just using Stunnel's 
built-in peer certificate save function.
When I do this, here's the certificate that gets saved after I connect 
to news80.  It has a valid date range:

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert 
High Assurance CA-3
         Validity
             Not Before: Jun  3 00:00:00 2013 GMT
             Not After : Aug 10 12:00:00 2016 GMT
         Subject: C=US, ST=California, L=Escondido, O=Forte Internet 
Software, Inc., OU=IT, CN=*.forteinc.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
                     85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
                     0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
                     42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
                     d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
                     6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
                     0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
                     64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
                     73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
                     6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
                     6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
                     83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
                     45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
                     2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
                     af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
                     3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
                     4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
                     1a:53
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7

             X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
             X509v3 Subject Alternative Name:
                 DNS:*.forteinc.com, DNS:forteinc.com
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client 
Authentication
             X509v3 CRL Distribution Points:

                 Full Name:
                   URI:http://crl3.digicert.com/ca3-g22.crl

                 Full Name:
                   URI:http://crl4.digicert.com/ca3-g22.crl

             X509v3 Certificate Policies:
                 Policy: 2.16.840.1.114412.1.1
                   CPS: http://www.digicert.com/ssl-cps-repository.htm
                   User Notice:
                     Explicit Text:

             Authority Information Access:
                 OCSP - URI:http://ocsp.digicert.com
                 CA Issuers - 
URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt

             X509v3 Basic Constraints: critical
                 CA:FALSE
     Signature Algorithm: sha1WithRSAEncryption
          7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:
          8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:
          2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:
          f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:
          df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:
          6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:
          b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:
          f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:
          04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:
          7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:
          40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:
          89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:
          62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:
          49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:
          c7:b7:3a:08
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue
vw2kqH9uZ7dlx7c6CA==
-----END CERTIFICATE-----


How would I access/save the expired certificate that you posted?

Thanks again,

Thomas


On 10/25/2013 12:17 AM, Michal Trojnara wrote:
>
> Now I could reproduce it and the solution was trivial: your news80 
> host was configured to use a different (older) certificate.
>
> $ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | 
> openssl x509 -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA 
> Limited, CN=COMODO High-Assurance Secure Server CA
>         Validity
>             Not Before: May  2 00:00:00 2011 GMT
>             Not After : Jul  9 23:59:59 2013 GMT
>         Subject: C=US/postalCode=92026, ST=California, 
> L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software, 
> Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, 
> CN=*.forteinc.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
>                     85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
>                     0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
>                     42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
>                     d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
>                     6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
>                     0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
>                     64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
>                     73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
>                     6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
>                     6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
>                     83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
>                     45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
>                     2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
>                     af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
>                     3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
>                     4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
>                     1a:53
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
> keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B
>
>             X509v3 Subject Key Identifier:
> C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client 
> Authentication
>             X509v3 Certificate Policies:
>                 Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
>                   CPS: https://secure.comodo.com/CPS
>
>             X509v3 CRL Distribution Points:
>
>                 Full Name:
>                   
> URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
>
>             Authority Information Access:
>                 CA Issuers - 
> URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
>                 OCSP - URI:http://ocsp.comodoca.com
>
>             X509v3 Subject Alternative Name:
>                 DNS:*.forteinc.com, DNS:forteinc.com
>     Signature Algorithm: sha1WithRSAEncryption
>          a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62:
>          b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd:
>          bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa:
>          5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55:
>          6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d:
>          f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57:
>          61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44:
>          21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73:
>          4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd:
>          54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d:
>          e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf:
>          bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c:
>          53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a:
>          7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a:
>          5e:70:c3:2b
> -----BEGIN CERTIFICATE-----
> MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB
> iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
> BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
> MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD
> VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k
> aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y
> dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl
> cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG
> A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
> AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT
> yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL
> 0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q
> E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5
> o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx
> RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/
> 1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4
> SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
> BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI
> KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI
> MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz
> dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB
> BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh
> bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j
> b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
> LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M
> TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V
> bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5
> yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg
> SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc
> U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw==
> -----END CERTIFICATE-----

-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.



More information about the stunnel-users mailing list