Re: [stunnel-users] Verify = 4 Fails Yet Again

Mike, Thanks for the follow-up. I'm unable to access the expired certificate. I'm just using Stunnel's built-in peer certificate save function. When I do this, here's the certificate that gets saved after I connect to news80. It has a valid date range: WARNING: can't open config file: /usr/local/ssl/openssl.cnf Certificate: Data: Version: 3 (0x2) Serial Number: 0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3 Validity Not Before: Jun 3 00:00:00 2013 GMT Not After : Aug 10 12:00:00 2016 GMT Subject: C=US, ST=California, L=Escondido, O=Forte Internet Software, Inc., OU=IT, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7 X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/ca3-g22.crl Full Name: URI:http://crl4.digicert.com/ca3-g22.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha1WithRSAEncryption 7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91: 8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37: 2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4: f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57: df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8: 6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e: b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da: f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50: 04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d: 7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c: 40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76: 89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db: 62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24: 49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65: c7:b7:3a:08 -----BEGIN CERTIFICATE----- MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0 Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX 96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue vw2kqH9uZ7dlx7c6CA== -----END CERTIFICATE----- How would I access/save the expired certificate that you posted? Thanks again, Thomas On 10/25/2013 12:17 AM, Michal Trojnara wrote:

Now I could reproduce it and the solution was trivial: your news80 host was configured to use a different (older) certificate.

$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA Validity Not Before: May 2 00:00:00 2011 GMT Not After : Jul 9 23:59:59 2013 GMT Subject: C=US/postalCode=92026, ST=California, L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software, Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard, CN=*.forteinc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73: 85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34: 0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9: 42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a: d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84: 6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8: 0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2: 64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34: 73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1: 6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c: 6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60: 83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b: 45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08: 2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66: af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2: 3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12: 4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f: 1a:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B

X509v3 Subject Key Identifier: C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.1.3.4 CPS: https://secure.comodo.com/CPS

X509v3 CRL Distribution Points:

Full Name:

URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl

Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name: DNS:*.forteinc.com, DNS:forteinc.com Signature Algorithm: sha1WithRSAEncryption a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62: b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd: bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa: 5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55: 6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d: f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57: 61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44: 21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73: 4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd: 54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d: e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf: bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c: 53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a: 7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a: 5e:70:c3:2b -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL 0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5 o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/ 1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4 SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5 yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw== -----END CERTIFICATE-----

-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.