[stunnel-users] Client Authentication and CRL Verification

Michal Trojnara Michal.Trojnara at mirt.net
Wed Dec 2 13:20:45 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Mehdi B.,

You have forgotten to include the most important parts of the log
files, which are the logs of an actual attempted connection.  We
cannot see the certificate verification logs without it.
Of course the initialization logs are also useful.

CRL verification was rewritten from scratch in stunnel 5.24, so please
use stunnel 5.26 for testing.

Try to simplify your configuration as much as possible:
1. Get rid of chroot/setuid/setgid
2. Replace CApath with CAfile.
3. Replace CRLpath with CRLfile.

Once you get the most basic configuration working, you can re-add
advanced features one-by-one to see which one causes the problem.

Mike

On 02.12.2015 12:30, Mehdi B. wrote:
> Hello everybody
> 
> I am using stunnel in server mode with mutual authentication. Auth
> is ok, but the crl didn't work, and I need it in production next
> week.... I do many tries with CRLpath/CRLfile, with my production
> version (5.08), the last one (5.26)
> 
> Same result. With a revoked certificate, my client connect on the
> server.
> 
> Do you have some idea? Or maybe found my mistake?
> 
> 
> If you need something else please contact me.
> 
> Stunnel 1 is the server. Stunnel 1 certificate is revoked
> 
> 
> ** Configuration **
> 
> 
> *** root at auditd:/var/lib/stunnel/2/ca# cat /etc/stunnel/1.conf *** 
> ; * Global options
> *
> 
> chroot = /var/lib/stunnel/1/
> 
> ; Chroot jail can be escaped if setuid option is not used setuid =
> stunnel5 setgid = stunnel5
> 
> pid = /pid/1.pid
> 
> ;debug = 0 debug = 7 output = /log/1.log
> 
> ;foreground = yes
> 
> 
> 
> options = NO_SSLv2 options = NO_SSLv3 options =
> DONT_INSERT_EMPTY_FRAGMENTS
> 
> [1] verify = 2
> 
> CAFile = /root/CA/CA.cert
> 
> cert = /root/CA/1.cert key  = /root/CA/1.key
> 
> client = no accept = 127.0.0.1:59062 connect = 127.0.0.1:22 ciphers
> = ECDHE-RSA-AES256-GCM-SHA384 sslVersion = TLSv1.2
> 
> 
> 
> *** root at auditd:/var/lib/stunnel/2/ca# cat /etc/stunnel/2.conf *** 
> ; * Global options
> *
> 
> chroot = /var/lib/stunnel/2/
> 
> ; Chroot jail can be escaped if setuid option is not used setuid =
> stunnel5 setgid = stunnel5
> 
> pid = /pid/2.pid
> 
> ;debug = 0 debug = 7 output = /log/2.log
> 
> ;foreground = yes
> 
> 
> 
> options = NO_SSLv2 options = NO_SSLv3 options =
> DONT_INSERT_EMPTY_FRAGMENTS
> 
> [2] verify = 2
> 
> ;CRLfile = /var/lib/stunnel/2/CA.crl.pem ;CAFile =
> /var/lib/stunnel/2/CA.pem
> 
> CRLpath = /crl/ CApath = /ca/
> 
> cert = /var/lib/stunnel/2/2.cert key  = /var/lib/stunnel/2/2.key
> 
> client = yes accept = 127.0.0.1:23 connect = 127.0.0.1:59062 
> ciphers = ECDHE-RSA-AES256-GCM-SHA384 sslVersion = TLSv1.2
> 
> 
> 
> 
> 
> 
> ** Logs **
> 
> ==> /var/lib/stunnel/1/log/1.log <== 2015.12.02 12:11:46
> LOG7[25595]: Clients allowed=500 2015.12.02 12:11:46 LOG5[25595]:
> stunnel 5.08 on x86_64-unknown-linux-gnu platform 2015.12.02
> 12:11:46 LOG5[25595]: Compiled/running with OpenSSL 1.0.1e 11 Feb
> 2013 2015.12.02 12:11:46 LOG5[25595]: Threading:PTHREAD
> Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2015.12.02
> 12:11:46 LOG7[25595]: errno: (*__errno_location ()) 2015.12.02
> 12:11:46 LOG5[25595]: Reading configuration from file 
> /etc/stunnel/1.conf 2015.12.02 12:11:46 LOG5[25595]: UTF-8 byte
> order mark not detected 2015.12.02 12:11:46 LOG5[25595]: FIPS mode
> disabled 2015.12.02 12:11:46 LOG7[25595]: Compression disabled 
> 2015.12.02 12:11:46 LOG7[25595]: Snagged 64 random bytes from
> /root/.rnd 2015.12.02 12:11:46 LOG7[25595]: Wrote 1024 new random
> bytes to /root/.rnd 2015.12.02 12:11:46 LOG7[25595]: PRNG seeded
> successfully 2015.12.02 12:11:46 LOG6[25595]: Initializing service
> [1] 2015.12.02 12:11:46 LOG6[25595]: Loading cert from file:
> /root/CA/1.cert 2015.12.02 12:11:46 LOG6[25595]: Loading key from
> file: /root/CA/1.key 2015.12.02 12:11:46 LOG7[25595]: Private key
> check succeeded 2015.12.02 12:11:46 LOG7[25595]: Loaded
> /root/CA/CA.cert revocation lookup file 2015.12.02 12:11:46
> LOG7[25595]: Client CA list: /root/CA/CA.cert 2015.12.02 12:11:46
> LOG6[25595]: Client CA: C=FR, ST=Some-State, O=Internet Widgits Pty
> Ltd 2015.12.02 12:11:46 LOG7[25595]: DH initialization 2015.12.02
> 12:11:46 LOG7[25595]: Could not load DH parameters from 
> /root/CA/1.cert 2015.12.02 12:11:46 LOG7[25595]: Using hardcoded DH
> parameters 2015.12.02 12:11:46 LOG7[25595]: DH initialized with
> 2048-bit key 2015.12.02 12:11:46 LOG7[25595]: ECDH initialization 
> 2015.12.02 12:11:46 LOG7[25595]: ECDH initialized with curve
> prime256v1 2015.12.02 12:11:46 LOG7[25595]: SSL options: 0x03000804
> (+0x03000800, -0x00000000) 2015.12.02 12:11:46 LOG5[25595]:
> Configuration successful 2015.12.02 12:11:46 LOG7[25595]: Listening
> file descriptor created (FD=6) 2015.12.02 12:11:46 LOG7[25595]:
> Service [1] (FD=6) bound to 127.0.0.1:59062 2015.12.02 12:11:46
> LOG7[25596]: Created pid file /pid/1.pid
> 
> ==> /var/lib/stunnel/2/log/2.log <== 2015.12.02 12:11:46
> LOG7[25604]: Clients allowed=500 2015.12.02 12:11:46 LOG5[25604]:
> stunnel 5.08 on x86_64-unknown-linux-gnu platform 2015.12.02
> 12:11:46 LOG5[25604]: Compiled/running with OpenSSL 1.0.1e 11 Feb
> 2013 2015.12.02 12:11:46 LOG5[25604]: Threading:PTHREAD
> Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2015.12.02
> 12:11:46 LOG7[25604]: errno: (*__errno_location ()) 2015.12.02
> 12:11:46 LOG5[25604]: Reading configuration from file 
> /etc/stunnel/2.conf 2015.12.02 12:11:46 LOG5[25604]: UTF-8 byte
> order mark not detected 2015.12.02 12:11:46 LOG5[25604]: FIPS mode
> disabled 2015.12.02 12:11:46 LOG7[25604]: Compression disabled 
> 2015.12.02 12:11:46 LOG7[25604]: Snagged 64 random bytes from
> /root/.rnd 2015.12.02 12:11:46 LOG7[25604]: Wrote 1024 new random
> bytes to /root/.rnd 2015.12.02 12:11:46 LOG7[25604]: PRNG seeded
> successfully 2015.12.02 12:11:46 LOG6[25604]: Initializing service
> [2] 2015.12.02 12:11:46 LOG6[25604]: Loading cert from file: 
> /var/lib/stunnel/2/2.cert 2015.12.02 12:11:46 LOG6[25604]: Loading
> key from file: /var/lib/stunnel/2/2.key 2015.12.02 12:11:46
> LOG7[25604]: Private key check succeeded 2015.12.02 12:11:46
> LOG7[25604]: Verify directory set to /ca/ 2015.12.02 12:11:46
> LOG7[25604]: Added /ca/ revocation lookup directory 2015.12.02
> 12:11:46 LOG7[25604]: Added /crl/ revocation lookup directory 
> 2015.12.02 12:11:46 LOG7[25604]: SSL options: 0x03000804
> (+0x03000800, -0x00000000) 2015.12.02 12:11:46 LOG5[25604]:
> Configuration successful 2015.12.02 12:11:46 LOG7[25604]: Listening
> file descriptor created (FD=6) 2015.12.02 12:11:46 LOG7[25604]:
> Service [2] (FD=6) bound to 127.0.0.1:23 2015.12.02 12:11:46
> LOG7[25605]: Created pid file /pid/2.pid
> 
> 
> ** ls **
> 
> root at auditd:/var/lib/stunnel/2/ca# ll total 4 lrwxrwxrwx 1 root
> root    6 Dec  2 12:05 1a870aad.0 -> CA.pem lrwxrwxrwx 1 root
> root    6 Dec  2 12:05 aeb35906.0 -> CA.pem -rw-r----- 1 stunnel5
> root 1919 Dec  1 16:55 CA.pem root at auditd:/var/lib/stunnel/2/ca# ll
> ../crl/ total 4 lrwxrwxrwx 1 root     root   10 Dec  2 12:04
> aeb35906.r0 -> CA.crl.pem -rw-r----- 1 stunnel5 root 1129 Dec  2
> 11:42 CA.crl.pem
> 
> 
> 
> ** check openssl **
> 
> root at auditd:~/stunnel-5.26# openssl verify -crl_check -CAfile 
> /var/lib/stunnel/2/ca/aeb35906.0 -CRLfile 
> /var/lib/stunnel/2/crl/aeb35906.r0 /root/CA/1.cert /root/CA/1.cert:
> C = FR, ST = FR, O = PLOP, CN = 1 error 23 at 0 depth
> lookup:certificate revoked
> 
> 
> ** other :**
> 
> root at auditd:~/CA# openssl crl -in
> /opt/syslog-ng/etc/crl/1a870aad.r0 -text Certificate Revocation
> List (CRL): Version 2 (0x1) Signature Algorithm:
> sha256WithRSAEncryption Issuer: /C=FR/ST=Some-State/O=Internet
> Widgits Pty Ltd Last Update: Dec  2 09:04:38 2015 GMT Next Update:
> Jan  1 09:04:38 2016 GMT CRL extensions: X509v3 CRL Number: 2 
> Revoked Certificates: Serial Number: 01 Revocation Date: Dec  1
> 14:46:38 2015 GMT Serial Number: 02 Revocation Date: Dec  2
> 09:04:29 2015 GMT Serial Number: 03 Revocation Date: Dec  2
> 07:25:34 2015 GMT Serial Number: 04 Revocation Date: Dec  2
> 07:27:45 2015 GMT Serial Number: 05 Revocation Date: Dec  2
> 07:32:21 2015 GMT Serial Number: 06 Revocation Date: Dec  2
> 08:21:48 2015 GMT Signature Algorithm: sha256WithRSAEncryption 
> 16:24:d4:f8:77:82:7b:ca:70:1a:01:26:5f:83:9f:13:6f:51: 
> 67:85:b0:2c:a7:25:c1:46:66:ca:b8:46:74:85:4a:ca:26:2b: 
> ff:46:e7:91:a3:10:09:ce:6b:84:1d:58:a1:4a:1c:38:ac:1a: 
> 58:fc:50:0a:7a:1e:1c:5c:f9:2b:ef:25:7a:93:27:b3:5e:65: 
> d6:66:89:33:23:52:fd:0d:38:7e:66:d6:74:d7:e4:b2:72:d8: 
> 74:49:73:d3:2a:b5:e0:23:8a:03:b5:c6:ce:2a:f4:03:ef:8c: 
> 50:83:be:9f:68:04:47:79:ff:5d:4b:cb:8a:cd:3c:6a:5f:02: 
> 33:e6:61:86:ff:4c:f3:74:2c:81:70:c1:13:05:43:54:1a:04: 
> a0:7b:df:fe:f8:e5:50:53:ce:2c:04:86:36:ed:0a:98:24:72: 
> 5e:68:1a:23:7f:8e:85:5c:2c:2b:7b:df:23:56:fe:2f:c7:da: 
> ec:ca:8f:48:a0:29:15:72:38:e3:ff:48:1e:89:30:b1:72:1b: 
> 21:3f:0b:e0:ad:eb:89:c3:65:70:cc:29:03:f0:6e:73:be:c8: 
> 24:64:93:b8:7b:af:21:a0:67:24:5a:be:e8:b0:ec:e0:a1:5f: 
> 0c:a9:e5:de:09:39:08:23:60:d9:d9:4e:07:a2:f2:1e:4f:96: 
> 0c:b7:c6:bb:5b:2a:e3:78:92:2e:fa:39:9c:ae:d4:4c:b2:b2: 
> e3:7f:2a:58:14:86:80:97:fd:5e:95:b1:9d:d6:23:3d:cc:ce: 
> 2b:0b:65:b2:43:f5:15:fb:20:2c:72:8f:fd:62:7d:7f:54:80: 
> 54:22:22:42:15:7b:27:18:2f:24:70:81:ca:44:cc:c4:d8:9c: 
> d8:99:69:f2:fd:4a:7f:3e:11:57:91:25:d8:6f:42:ae:b0:d5: 
> bc:fd:cd:0b:9b:a5:c2:f6:d0:ce:8b:e3:66:7b:78:03:90:a6: 
> ca:44:f9:e1:cb:80:70:2e:db:b0:3c:d1:fc:5a:d8:f5:fd:c6: 
> 44:5f:4f:19:f5:da:13:a5:2f:11:f3:db:73:22:a1:98:83:b0: 
> 44:0d:2b:59:2f:3a:54:fb:00:a0:8f:1b:19:2b:c0:3c:9d:fb: 
> f0:80:50:9a:9e:7b:b6:46:84:d3:df:b2:36:6b:d2:97:53:f9: 
> da:1e:8c:7a:e8:40:15:17:3b:17:b7:c6:0d:e0:64:e4:68:96: 
> 11:43:d2:d8:d4:f8:1b:7b:44:15:29:d9:ca:e5:3a:97:b6:b4: 
> c6:b9:2b:c2:8a:6d:47:62:75:33:a1:dd:e9:93:28:eb:82:00: 
> 8d:ef:0d:b6:17:72:a6:59:95:4c:97:fa:47:a8:ff:27:60:dd: 
> c1:6e:6a:62:dc:1b:a8:e7 -----BEGIN X509 CRL----- 
> MIIDGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCRlIxEzARBgNV 
> BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 
> ZBcNMTUxMjAyMDkwNDM4WhcNMTYwMTAxMDkwNDM4WjB4MBICAQEXDTE1MTIwMTE0 
> NDYzOFowEgIBAhcNMTUxMjAyMDkwNDI5WjASAgEDFw0xNTEyMDIwNzI1MzRaMBIC 
> AQQXDTE1MTIwMjA3Mjc0NVowEgIBBRcNMTUxMjAyMDczMjIxWjASAgEGFw0xNTEy 
> MDIwODIxNDhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAgEAFiTU 
> +HeCe8pwGgEmX4OfE29RZ4WwLKclwUZmyrhGdIVKyiYr/0bnkaMQCc5rhB1YoUoc 
> OKwaWPxQCnoeHFz5K+8lepMns15l1maJMyNS/Q04fmbWdNfksnLYdElz0yq14COK 
> A7XGzir0A++MUIO+n2gER3n/XUvLis08al8CM+Zhhv9M83QsgXDBEwVDVBoEoHvf 
> /vjlUFPOLASGNu0KmCRyXmgaI3+OhVwsK3vfI1b+L8fa7MqPSKApFXI44/9IHokw 
> sXIbIT8L4K3ricNlcMwpA/Buc77IJGSTuHuvIaBnJFq+6LDs4KFfDKnl3gk5CCNg 
> 2dlOB6LyHk+WDLfGu1sq43iSLvo5nK7UTLKy438qWBSGgJf9XpWxndYjPczOKwtl 
> skP1FfsgLHKP/WJ9f1SAVCIiQhV7JxgvJHCBykTMxNic2Jlp8v1Kfz4RV5El2G9C 
> rrDVvP3NC5ulwvbQzovjZnt4A5CmykT54cuAcC7bsDzR/FrY9f3GRF9PGfXaE6Uv 
> EfPbcyKhmIOwRA0rWS86VPsAoI8bGSvAPJ378IBQmp57tkaE09+yNmvSl1P52h6M 
> euhAFRc7F7fGDeBk5GiWEUPS2NT4G3tEFSnZyuU6l7a0xrkrwoptR2J1M6Hd6ZMo 
> 64IAje8NthdyplmVTJf6R6j/J2DdwW5qYtwbqOc= -----END X509 CRL-----
> 
> root at auditd:~/CA# openssl x509 -in /opt/syslog-ng/etc/cert.d/1.cert
> -text Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) 
> Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR,
> ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Dec
> 2 07:32:36 2015 GMT Not After : Nov 29 07:32:36 2025 GMT Subject:
> C=FR, ST=FR, O=PLOP, CN=1 Subject Public Key Info: Public Key
> Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 
> 00:ae:2a:9e:a6:6f:54:eb:f7:1f:7f:d6:67:b5:68: 
> 11:9d:a8:79:93:78:e8:b6:48:f6:64:7e:e5:bf:72: 
> 33:61:6f:4a:e9:c0:25:f6:61:47:de:f7:a3:5d:3d: 
> da:fa:2d:97:08:20:5b:b1:a9:10:2b:50:18:ca:40: 
> ea:16:f8:3d:a5:5e:cc:18:d4:80:30:62:cc:4c:b7: 
> 2b:99:9e:6a:3a:09:97:2b:1d:79:36:d2:53:7a:8d: 
> 96:4f:20:c0:f3:ac:e9:01:d1:a0:d7:00:37:83:1f: 
> 64:ee:df:4f:27:61:a2:5f:94:66:be:35:58:9e:52: 
> a0:91:0a:00:57:13:d5:b4:b3:90:10:8c:42:4f:34: 
> 69:3f:9c:1b:7d:9b:ae:eb:79:8d:d9:9d:2c:3c:74: 
> 58:c2:ba:a5:34:e5:15:01:45:d3:47:85:82:eb:34: 
> b2:21:ba:97:2b:4e:90:92:4f:85:19:c7:b0:7f:cd: 
> 8c:49:08:4e:32:d0:9e:34:af:b9:02:aa:40:2e:af: 
> f5:6b:41:92:9f:5a:ab:09:b5:bd:7a:73:fe:4d:f4: 
> 1b:c6:23:22:15:7c:b5:47:e1:88:bd:8a:b7:d7:1b: 
> 5e:4a:53:f9:41:33:e9:30:97:ce:9b:b4:88:77:f6: 
> 35:9c:47:a7:12:5d:98:9e:e4:1c:27:bf:bd:e5:85: 
> b1:c1:1f:dc:17:03:c0:00:9f:0b:d8:40:c3:1c:31: 
> f3:9b:60:17:05:0d:ac:79:9e:53:2b:aa:da:78:e7: 
> f4:a8:3e:f9:14:f1:40:1f:47:df:45:c7:57:14:3d: 
> 26:68:9c:a7:77:da:29:50:85:1c:e3:62:e6:66:f0: 
> 5e:59:6f:35:61:32:e4:a8:7d:a1:30:b5:85:69:0e: 
> e3:fd:8e:67:78:c3:47:58:5d:88:36:65:85:09:52: 
> 46:47:bb:48:03:9c:e5:42:48:66:7d:34:7d:01:9c: 
> 67:ea:82:f0:d5:4e:9b:64:0c:c6:db:1c:0d:2a:de: 
> 67:ba:a5:04:44:4a:fc:12:94:77:b0:30:fc:d0:06: 
> 26:d4:e8:94:ed:a1:78:4d:cd:fa:8b:a4:4e:45:fc: 
> cf:2b:d8:47:11:e0:68:e0:78:36:34:4f:76:5c:76: 
> 4b:69:02:4c:22:47:57:10:92:ce:b9:d8:20:7e:80: 
> 80:a7:ca:55:7c:41:a4:0a:0e:08:e0:86:e2:63:9f: 
> e4:f6:e0:13:fd:67:7a:14:f7:e2:fe:6e:14:2a:ba: 
> 80:e1:29:0d:7c:5a:36:91:60:ae:9b:14:6f:1e:2d: 
> 40:b9:28:03:e5:d6:f8:f4:64:6d:ca:8b:1d:38:48: 
> 30:92:fa:6f:75:c9:7a:62:61:47:0e:32:3e:e5:7e: 0a:3b:d5 Exponent:
> 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: 
> CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3
> Subject Key Identifier: 
> 33:1A:1E:42:87:07:1F:05:83:C6:14:DE:5D:BC:90:89:8C:10:39:44 X509v3
> Authority Key Identifier:
> 
> keyid:C0:B7:97:89:CD:42:1E:6A:FB:7D:AE:3B:1E:A1:30:7E:94:FA:FB:35
> 
> X509v3 CRL Distribution Points:
> 
> Full Name: URI:https://deb.plop.net/ssl/
> 
> Signature Algorithm: sha256WithRSAEncryption 
> ad:d7:d0:1f:d1:f2:10:88:d4:4c:5e:fe:80:88:96:35:55:26: 
> 12:8d:1f:1f:38:d2:36:6e:75:00:37:e8:45:28:eb:c3:b5:e7: 
> 71:90:91:5a:96:2d:b6:3e:5b:c0:45:84:e5:dc:07:65:63:54: 
> b1:06:4b:6a:ee:63:80:54:63:4c:72:1a:2f:eb:00:7c:36:0b: 
> 18:22:3a:d2:90:e6:3f:69:9a:cf:b7:50:72:19:f6:3d:d5:19: 
> fa:2a:46:09:cf:86:f7:12:0e:2c:4a:59:6c:26:45:2b:52:90: 
> 72:55:a9:7d:16:27:db:ba:19:cb:c8:96:4c:e1:42:79:6b:ab: 
> f9:87:97:43:e0:d1:71:2d:ef:fc:c9:f0:02:b1:7d:6c:59:ef: 
> fd:00:76:4b:a7:f9:9c:1a:05:90:5b:df:2e:35:52:c7:79:f9: 
> f3:31:d5:3f:60:2a:93:78:48:19:3b:53:43:ed:ee:f0:39:c8: 
> fa:88:b8:7e:b0:5e:ce:73:c2:b2:c2:da:95:39:d9:1e:b7:02: 
> d7:98:20:31:d2:91:c2:c9:61:45:cd:9b:f1:54:3d:17:df:96: 
> 09:3d:11:96:b4:97:2a:9f:e8:9e:77:d4:1b:67:d9:a1:9d:1e: 
> b8:d9:58:3a:b4:26:24:23:d5:a0:d6:52:78:1d:2f:d9:ce:f4: 
> 41:66:82:7c:56:d9:df:a0:08:cb:b4:ae:2a:79:16:bf:91:09: 
> 46:be:35:17:44:73:7b:48:e0:3e:f4:03:45:a7:36:3e:8e:8e: 
> 58:7c:02:a9:c7:9d:22:98:bc:d3:05:90:81:39:d6:00:09:a4: 
> 33:58:0f:57:b9:a5:e2:d0:3f:e4:ad:4e:47:a4:af:98:b6:d0: 
> 49:f0:f9:d5:9b:b1:18:c6:fb:7d:3d:18:6c:90:62:1f:cb:c9: 
> 97:00:92:57:29:32:1d:be:02:61:af:1f:17:48:eb:6a:b0:a2: 
> f4:96:e1:0f:24:63:11:c7:66:2f:bc:7e:c2:e0:fd:25:3c:ac: 
> 83:5b:05:35:b3:45:64:8e:93:21:3d:ed:1c:95:ae:24:55:98: 
> 07:5f:99:71:28:8e:01:5d:94:16:62:03:a1:63:1f:08:88:6f: 
> 9b:0b:db:43:21:31:4a:08:a2:a2:f6:af:7a:b3:20:94:5f:7d: 
> 2f:53:3a:20:ea:08:5f:db:38:89:24:83:bd:9c:a0:78:ea:68: 
> cd:39:47:b8:b6:f3:f4:bb:14:cc:e8:d0:24:59:7e:fc:0f:05: 
> e9:73:18:5b:5d:31:0b:d2:e0:17:0f:ff:0d:b8:39:54:32:42: 
> a2:07:b3:d3:53:5c:89:f7:b4:c3:44:60:7e:0c:5f:d1:80:e8: 
> d2:6b:89:8d:1f:a9:79:7b -----BEGIN CERTIFICATE----- 
> MIIFnDCCA4SgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJGUjET 
> MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ 
> dHkgTHRkMB4XDTE1MTIwMjA3MzIzNloXDTI1MTEyOTA3MzIzNlowNDELMAkGA1UE 
> BhMCRlIxCzAJBgNVBAgMAkZSMQwwCgYDVQQKDANPVkgxCjAIBgNVBAMMATEwggIi 
> MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuKp6mb1Tr9x9/1me1aBGdqHmT 
> eOi2SPZkfuW/cjNhb0rpwCX2YUfe96NdPdr6LZcIIFuxqRArUBjKQOoW+D2lXswY 
> 1IAwYsxMtyuZnmo6CZcrHXk20lN6jZZPIMDzrOkB0aDXADeDH2Tu308nYaJflGa+ 
> NVieUqCRCgBXE9W0s5AQjEJPNGk/nBt9m67reY3ZnSw8dFjCuqU05RUBRdNHhYLr 
> NLIhupcrTpCST4UZx7B/zYxJCE4y0J40r7kCqkAur/VrQZKfWqsJtb16c/5N9BvG 
> IyIVfLVH4Yi9irfXG15KU/lBM+kwl86btIh39jWcR6cSXZie5Bwnv73lhbHBH9wX 
> A8AAnwvYQMMcMfObYBcFDax5nlMrqtp45/SoPvkU8UAfR99Fx1cUPSZonKd32ilQ 
> hRzjYuZm8F5ZbzVhMuSofaEwtYVpDuP9jmd4w0dYXYg2ZYUJUkZHu0gDnOVCSGZ9 
> NH0BnGfqgvDVTptkDMbbHA0q3me6pQRESvwSlHewMPzQBibU6JTtoXhNzfqLpE5F 
> /M8r2EcR4GjgeDY0T3ZcdktpAkwiR1cQks652CB+gICnylV8QaQKDgjghuJjn+T2 
> 4BP9Z3oU9+L+bhQquoDhKQ18WjaRYK6bFG8eLUC5KAPl1vj0ZG3Kix04SDCS+m91 
> yXpiYUcOMj7lfgo71QIDAQABo4GnMIGkMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN 
> BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQzGh5C 
> hwcfBYPGFN5dvJCJjBA5RDAfBgNVHSMEGDAWgBTAt5eJzUIeavt9rjseoTB+lPr7 
> NTApBgNVHR8EIjAgMB6gHKAahhhodHRwczovL2RlYi5vdmgubmV0L3NzbC8wDQYJ 
> KoZIhvcNAQELBQADggIBAK3X0B/R8hCI1Exe/oCIljVVJhKNHx840jZudQA36EUo 
> 68O153GQkVqWLbY+W8BFhOXcB2VjVLEGS2ruY4BUY0xyGi/rAHw2CxgiOtKQ5j9p 
> ms+3UHIZ9j3VGfoqRgnPhvcSDixKWWwmRStSkHJVqX0WJ9u6GcvIlkzhQnlrq/mH 
> l0Pg0XEt7/zJ8AKxfWxZ7/0Adkun+ZwaBZBb3y41Usd5+fMx1T9gKpN4SBk7U0Pt 
> 7vA5yPqIuH6wXs5zwrLC2pU52R63AteYIDHSkcLJYUXNm/FUPRfflgk9EZa0lyqf 
> 6J531Btn2aGdHrjZWDq0JiQj1aDWUngdL9nO9EFmgnxW2d+gCMu0rip5Fr+RCUa+ 
> NRdEc3tI4D70A0WnNj6Ojlh8AqnHnSKYvNMFkIE51gAJpDNYD1e5peLQP+StTkek 
> r5i20Enw+dWbsRjG+309GGyQYh/LyZcAklcpMh2+AmGvHxdI62qwovSW4Q8kYxHH 
> Zi+8fsLg/SU8rINbBTWzRWSOkyE97RyVriRVmAdfmXEojgFdlBZiA6FjHwiIb5sL 
> 20MhMUoIoqL2r3qzIJRffS9TOiDqCF/bOIkkg72coHjqaM05R7i28/S7FMzo0CRZ 
> fvwPBelzGFtdMQvS4BcP/w24OVQyQqIHs9NTXIn3tMNEYH4MX9GA6NJriY0fqXl7 
> -----END CERTIFICATE----- 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWXuIdAAoJEC78f/DUFuAUDTIQAJaV7sTOZf1Naq/+d4BnINIf
f5w4/vgCB23zfBTgD+JYmGJ0IF3mWNgYlxIQHFj/73DW99l91AT3G7ws1BDnDVwc
BmQghckKEJQpqqc5ycIQ8M4p7igzkqsrN5JwLRh7X1kTNEXjOERmd4CN66pdpBzZ
rKFbjZzlrX6aliC3+rez2HeTJMBDj4JBWqjL7bloMqOf3uIOwimb2APCgTCOiJw7
BbTLLmmZvmHALfwWpVc5uhEwjHH6e308Z4qCME1SxF8Y6wcArTqDrQ8PRj3riRDm
FwYIwMsnDjyhoimTYzFbTndUg0+p225Msh4we61QX5HZz/10uKyER4Fzna4npj1Q
fGZrCPXQuM/tQlbK1FTw2Vdt5GJzaOB8Kg1KdUKVwQXrWYO+QIFZ2eUzuu2DCXWM
F9ctpfdxfK3HIj2vcCijtV+1EdcqJHwK72hnmWZiN2xPJYan97gMMlT36GFcmzqY
gV23ykpsvrTOsnQL/WQyzwmIr90Mhgyk9xinaQ+TcHQDuMKt7cqGqs/oRk+NriEo
T7ZfEK88FHT1TQtpgeSYL2RDE3nZ5FzNyWgN6QNVFUVN9fNNXMnqHZQ4yLzuUWMu
nn6TN6gRLu9GPHL3w8SBhokOHC66BQCsDOHysgvG23Qd7GVqiyrwZEJv+FSN58Pg
7Cc9x9vECKUghyx+SH+m
=0fYd
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list