<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2013-10-19 03:59, Thomas Eifert
wrote:<br>
</div>
<blockquote cite="mid:5261E76F.3000103@wi.rr.com" type="cite">I've
just encountered another situation in which verify = 4 fails on a
seemingly valid certificate. Since I've previously
<br>
posted details regarding this issue, I'm only going to post the
certificate here. This is the 3rd certificate I've run across
<br>
in the past 6 months that fails to verify. Can all 3 of the
certificates be faulty, or is there an issue with Stunnel or
<br>
OpenSSL here?<br>
</blockquote>
<br>
As strange as it may sound it just worked for me:<br>
<br>
~/stunnel/src/tests$ cat forteinc.conf<br>
foreground=yes<br>
debug=7<br>
pid=<br>
<br>
[test_cli]<br>
client=yes<br>
accept=4321<br>
connect=forteinc.com:443<br>
cafile=forteinc.pem<br>
verify=4<br>
<br>
~/stunnel/src/tests$ cat forteinc.pem<br>
-----BEGIN CERTIFICATE-----<br>
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm<br>
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3<br>
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j<br>
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV<br>
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x<br>
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL<br>
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA<br>
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0<br>
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K<br>
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj<br>
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl<br>
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b<br>
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV<br>
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM<br>
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j<br>
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF<br>
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j<br>
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n<br>
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG<br>
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv<br>
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm<br>
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp<br>
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg<br>
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg<br>
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg<br>
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu<br>
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp<br>
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk<br>
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC<br>
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh<br>
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd<br>
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh<br>
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA<br>
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg<br>
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX<br>
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue<br>
vw2kqH9uZ7dlx7c6CA==<br>
-----END CERTIFICATE-----<br>
<br>
~/stunnel/src/tests$ openssl x509 -in forteinc.pem -noout -text<br>
Certificate:<br>
Data:<br>
Version: 3 (0x2)<br>
Serial Number:<br>
0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6<br>
Signature Algorithm: sha1WithRSAEncryption<br>
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com,
CN=DigiCert High Assurance CA-3<br>
Validity<br>
Not Before: Jun 3 00:00:00 2013 GMT<br>
Not After : Aug 10 12:00:00 2016 GMT<br>
Subject: C=US, ST=California, L=Escondido, O=Forte Internet
Software, Inc., OU=IT, CN=*.forteinc.com<br>
Subject Public Key Info:<br>
Public Key Algorithm: rsaEncryption<br>
Public-Key: (2048 bit)<br>
Modulus:<br>
00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:<br>
85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:<br>
0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:<br>
42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:<br>
d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:<br>
6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:<br>
0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:<br>
64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:<br>
73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:<br>
6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:<br>
6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:<br>
83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:<br>
45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:<br>
2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:<br>
af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:<br>
3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:<br>
4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:<br>
1a:53<br>
Exponent: 65537 (0x10001)<br>
X509v3 extensions:<br>
X509v3 Authority Key Identifier:<br>
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7<br>
<br>
X509v3 Subject Key Identifier:<br>
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67<br>
X509v3 Subject Alternative Name:<br>
DNS:*.forteinc.com, DNS:forteinc.com<br>
X509v3 Key Usage: critical<br>
Digital Signature, Key Encipherment<br>
X509v3 Extended Key Usage:<br>
TLS Web Server Authentication, TLS Web Client
Authentication<br>
X509v3 CRL Distribution Points:<br>
<br>
Full Name:<br>
URI:<a class="moz-txt-link-freetext" href="http://crl3.digicert.com/ca3-g22.crl">http://crl3.digicert.com/ca3-g22.crl</a><br>
<br>
Full Name:<br>
URI:<a class="moz-txt-link-freetext" href="http://crl4.digicert.com/ca3-g22.crl">http://crl4.digicert.com/ca3-g22.crl</a><br>
<br>
X509v3 Certificate Policies:<br>
Policy: 2.16.840.1.114412.1.1<br>
CPS:
<a class="moz-txt-link-freetext" href="http://www.digicert.com/ssl-cps-repository.htm">http://www.digicert.com/ssl-cps-repository.htm</a><br>
User Notice:<br>
Explicit Text:<br>
<br>
Authority Information Access:<br>
OCSP - URI:<a class="moz-txt-link-freetext" href="http://ocsp.digicert.com">http://ocsp.digicert.com</a><br>
CA Issuers -
URI:<a class="moz-txt-link-freetext" href="http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt">http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt</a><br>
<br>
X509v3 Basic Constraints: critical<br>
CA:FALSE<br>
Signature Algorithm: sha1WithRSAEncryption<br>
7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:<br>
8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:<br>
2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:<br>
f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:<br>
df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:<br>
6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:<br>
b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:<br>
f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:<br>
04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:<br>
7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:<br>
40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:<br>
89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:<br>
62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:<br>
49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:<br>
c7:b7:3a:08<br>
<br>
~/stunnel/src/tests$ ../stunnel forteinc.conf<br>
2013.10.24 21:45:35 LOG7[19767]: Clients allowed=500<br>
2013.10.24 21:45:35 LOG5[19767]: stunnel 5.00 on i686-pc-linux-gnu
platform<br>
2013.10.24 21:45:35 LOG5[19767]: Compiled/running with OpenSSL
1.0.1e-fips 11 Feb 2013<br>
2013.10.24 21:45:35 LOG5[19767]: Threading:PTHREAD Sockets:POLL,IPv6
SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP<br>
2013.10.24 21:45:35 LOG5[19767]: Reading configuration from file
forteinc.conf<br>
2013.10.24 21:45:35 LOG5[19767]: FIPS mode is disabled<br>
2013.10.24 21:45:35 LOG7[19767]: Compression not enabled<br>
2013.10.24 21:45:35 LOG7[19767]: Snagged 64 random bytes from
/home/mtrojnar/.rnd<br>
2013.10.24 21:45:35 LOG7[19767]: Wrote 1024 new random bytes to
/home/mtrojnar/.rnd<br>
2013.10.24 21:45:35 LOG7[19767]: PRNG seeded successfully<br>
2013.10.24 21:45:35 LOG6[19767]: Initializing service [test_cli]<br>
2013.10.24 21:45:35 LOG7[19767]: Loaded verify certificates from
forteinc.pem<br>
2013.10.24 21:45:35 LOG7[19767]: Loaded forteinc.pem revocation
lookup file<br>
2013.10.24 21:45:35 LOG7[19767]: SSL options set: 0x00000004<br>
2013.10.24 21:45:35 LOG5[19767]: Configuration successful<br>
2013.10.24 21:45:35 LOG7[19767]: Service [test_cli] (FD=7) bound to
0.0.0.0:4321<br>
2013.10.24 21:45:35 LOG7[19767]: No pid file being created<br>
2013.10.24 21:45:46 LOG7[19767]: Service [test_cli] accepted (FD=3)
from 127.0.0.1:44011<br>
2013.10.24 21:45:46 LOG7[19772]: Service [test_cli] started<br>
2013.10.24 21:45:46 LOG5[19772]: Service [test_cli] accepted
connection from 127.0.0.1:44011<br>
2013.10.24 21:45:46 LOG6[19772]: connect_blocking: connecting
64.105.44.55:443<br>
2013.10.24 21:45:46 LOG7[19772]: connect_blocking: s_poll_wait
64.105.44.55:443: waiting 10 seconds<br>
2013.10.24 21:45:46 LOG5[19772]: connect_blocking: connected
64.105.44.55:443<br>
2013.10.24 21:45:46 LOG5[19772]: Service [test_cli] connected remote
server from 207.192.69.165:53779<br>
2013.10.24 21:45:46 LOG7[19772]: Remote socket (FD=8) initialized<br>
2013.10.24 21:45:46 LOG7[19772]: SNI: sending servername:
forteinc.com<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): before/connect
initialization<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write
client hello A<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read
server hello A<br>
2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification:
depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3<br>
2013.10.24 21:45:46 LOG6[19772]: <b>CERT: Invalid CA certificate
ignored</b><br>
2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=1,
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
CA-3<br>
2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification:
depth=1, /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3<br>
2013.10.24 21:45:46 LOG6[19772]: <b>CERT: Invalid CA certificate
ignored</b><br>
2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=1,
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
CA-3<br>
2013.10.24 21:45:46 LOG7[19772]: Starting certificate verification:
depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software,
Inc./OU=IT/CN=*.forteinc.com<br>
2013.10.24 21:45:46 LOG6[19772]: <b>CERT: Locally installed
certificate matched</b><br>
2013.10.24 21:45:46 LOG5[19772]: Certificate accepted: depth=0,
/C=US/ST=California/L=Escondido/O=Forte Internet Software,
Inc./OU=IT/CN=*.forteinc.com<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read
server certificate A<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read
server done A<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write
client key exchange A<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write
change cipher spec A<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 write
finished A<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 flush
data<br>
2013.10.24 21:45:46 LOG7[19772]: SSL state (connect): SSLv3 read
finished A<br>
2013.10.24 21:45:46 LOG7[19772]: 1 items in the session cache<br>
2013.10.24 21:45:46 LOG7[19772]: 1 client connects
(SSL_connect())<br>
2013.10.24 21:45:46 LOG7[19772]: 1 client connects that finished<br>
2013.10.24 21:45:46 LOG7[19772]: 0 client renegotiations
requested<br>
2013.10.24 21:45:46 LOG7[19772]: 0 server connects (SSL_accept())<br>
2013.10.24 21:45:46 LOG7[19772]: 0 server connects that finished<br>
2013.10.24 21:45:46 LOG7[19772]: 0 server renegotiations
requested<br>
2013.10.24 21:45:46 LOG7[19772]: 0 session cache hits<br>
2013.10.24 21:45:46 LOG7[19772]: 0 external session cache hits<br>
2013.10.24 21:45:46 LOG7[19772]: 0 session cache misses<br>
2013.10.24 21:45:46 LOG7[19772]: 0 session cache timeouts<br>
2013.10.24 21:45:46 LOG7[19772]: Peer certificate was cached (4675
bytes)<br>
2013.10.24 21:45:46 LOG6[19772]: SSL connected: new session
negotiated<br>
2013.10.24 21:45:46 LOG6[19772]: Negotiated TLSv1/SSLv3 ciphersuite:
AES256-SHA (256-bit encryption)<br>
2013.10.24 21:45:46 LOG6[19772]: Compression: null, expansion: null<br>
2013.10.24 21:45:52 LOG7[19772]: SSL alert (read): warning: close
notify<br>
2013.10.24 21:45:52 LOG6[19772]: SSL closed (SSL_read)<br>
2013.10.24 21:45:52 LOG7[19772]: Sent socket write shutdown<br>
2013.10.24 21:45:52 LOG6[19772]: Read socket closed (hangup)<br>
2013.10.24 21:45:52 LOG6[19772]: Write socket closed (hangup)<br>
2013.10.24 21:45:52 LOG7[19772]: Sending close_notify alert<br>
2013.10.24 21:45:52 LOG7[19772]: SSL alert (write): warning: close
notify<br>
2013.10.24 21:45:52 LOG6[19772]: SSL_shutdown successfully sent
close_notify alert<br>
2013.10.24 21:45:52 LOG5[19772]: Connection closed: 16 byte(s) sent
to SSL, 501 byte(s) sent to socket<br>
2013.10.24 21:45:52 LOG7[19772]: Remote socket (FD=8) closed<br>
2013.10.24 21:45:52 LOG7[19772]: Local socket (FD=3) closed<br>
2013.10.24 21:45:52 LOG7[19772]: Service [test_cli] finished (0
left)<br>
^C2013.10.24 21:45:54 LOG7[19767]: Dispatching signals from the
signal pipe<br>
2013.10.24 21:45:54 LOG3[19767]: Received signal 2; terminating<br>
2013.10.24 21:45:54 LOG7[19767]: Closing service [test_cli]<br>
2013.10.24 21:45:54 LOG7[19767]: Service [test_cli] closed (FD=7)<br>
2013.10.24 21:45:54 LOG7[19767]: Sessions cached before flush: 1<br>
2013.10.24 21:45:54 LOG7[19767]: Sessions cached after flush: 0<br>
2013.10.24 21:45:54 LOG7[19767]: Service [test_cli] closed<br>
2013.10.24 21:45:54 LOG7[19767]: str_stats: 11 block(s), 1816 data
byte(s), 462 control byte(s)<br>
<br>
Mike<br>
</body>
</html>