Mike,
Thanks for the follow-up.
I'm unable to access the expired certificate. I'm just using Stunnel's
built-in peer certificate save function.
When I do this, here's the certificate that gets saved after I connect
to news80. It has a valid date range:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert
High Assurance CA-3
Validity
Not Before: Jun 3 00:00:00 2013 GMT
Not After : Aug 10 12:00:00 2016 GMT
Subject: C=US, ST=California, L=Escondido, O=Forte Internet
Software, Inc., OU=IT, CN=*.forteinc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
1a:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
X509v3 Subject Alternative Name:
DNS:*.forteinc.com, DNS:forteinc.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ca3-g22.crl
Full Name:
URI:http://crl4.digicert.com/ca3-g22.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: http://www.digicert.com/ssl-cps-repository.htm
User Notice:
Explicit Text:
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers -
URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:
8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:
2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:
f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:
df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:
6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:
b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:
f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:
04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:
7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:
40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:
89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:
62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:
49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:
c7:b7:3a:08
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue
vw2kqH9uZ7dlx7c6CA==
-----END CERTIFICATE-----
How would I access/save the expired certificate that you posted?
Thanks again,
Thomas
On 10/25/2013 12:17 AM, Michal Trojnara wrote:
Now I could reproduce it and the solution was trivial: your news80
host was configured to use a different (older) certificate.
$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null |
openssl x509 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2d:d7:04:37:25:9c:07:49:29:e0:1f:f1:8a:2f:24:17
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO High-Assurance Secure Server CA
Validity
Not Before: May 2 00:00:00 2011 GMT
Not After : Jul 9 23:59:59 2013 GMT
Subject: C=US/postalCode=92026, ST=California,
L=Escondido/street=2223 Bent Tree Place, O=Forte Internet Software,
Inc., OU=Internet Services, OU=Comodo PremiumSSL Wildcard,
CN=*.forteinc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
1a:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B
X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.com/CPS
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
Authority Information Access:
CA Issuers -
URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:*.forteinc.com, DNS:forteinc.com
Signature Algorithm: sha1WithRSAEncryption
a4:a0:d9:21:f9:a7:a0:ae:66:44:fd:34:92:ac:0f:0d:cd:62:
b8:93:ec:bf:dd:0c:4d:77:31:61:3d:ff:71:52:1d:0a:23:fd:
bd:52:96:d4:85:49:7a:b9:81:72:d6:86:e4:d1:5f:c1:a4:fa:
5c:1d:b2:ce:b9:f3:bc:7e:03:5d:ea:84:7a:b4:2c:26:7f:55:
6d:93:14:3c:3a:a9:34:3a:af:a8:98:8e:7b:a8:db:f0:89:5d:
f5:5d:3d:e1:da:c2:f3:21:d1:be:e4:02:c4:83:c2:a2:d4:57:
61:e0:38:b2:0c:c6:e4:2c:de:12:ac:f9:c8:22:e2:6f:4d:44:
21:64:5f:10:c4:1a:58:6e:76:75:dd:e4:87:99:25:45:6b:73:
4c:ee:39:d5:88:a6:35:5b:92:3d:12:66:c4:26:fa:e8:74:bd:
54:44:a8:01:b7:a0:49:2f:8b:52:cc:60:91:47:f1:23:9f:3d:
e8:f4:8e:bc:46:2e:71:60:34:7d:13:80:79:e0:46:a3:e6:bf:
bf:d2:f1:3b:fb:5c:45:33:b7:c3:40:69:9a:b8:0c:06:90:1c:
53:d9:46:b7:05:e5:d8:b7:de:7f:e2:33:1f:b7:e5:67:4a:0a:
7e:8d:0e:d4:5a:03:b6:58:15:50:42:ba:92:3e:a1:00:91:1a:
5e:70:c3:2b
-----BEGIN CERTIFICATE-----
MIIFxDCCBKygAwIBAgIQLdcENyWcB0kp4B/xii8kFzANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
MDUwMjAwMDAwMFoXDTEzMDcwOTIzNTk1OVowgecxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQREwU5MjAyNjETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJRXNjb25k
aWRvMR0wGwYDVQQJExQyMjIzIEJlbnQgVHJlZSBQbGFjZTEmMCQGA1UEChMdRm9y
dGUgSW50ZXJuZXQgU29mdHdhcmUsIEluYy4xGjAYBgNVBAsTEUludGVybmV0IFNl
cnZpY2VzMSMwIQYDVQQLExpDb21vZG8gUHJlbWl1bVNTTCBXaWxkY2FyZDEXMBUG
A1UEAxQOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0Xes5fGjw7oBT
yUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7KpokKao+M6AtL
0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSjkSxUsW62p6+q
E+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWlK0X0yUkxbkc5
o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2bVeL052E7EjTx
RvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggHGMIIBwjAfBgNVHSMEGDAWgBQ/
1bXQ1kR5UEoXo5uMSty4sCJkazAdBgNVHQ4EFgQUwgLEas/pP7rMUfpMXPrkHEg4
SWcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRI
MEYwRKBCoECGPmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNz
dXJhbmNlU2VjdXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYB
BQUHMAKGPmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJh
bmNlU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5j
b21vZG9jYS5jb20wJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEApKDZIfmnoK5mRP00kqwPDc1iuJPsv90M
TXcxYT3/cVIdCiP9vVKW1IVJermBctaG5NFfwaT6XB2yzrnzvH4DXeqEerQsJn9V
bZMUPDqpNDqvqJiOe6jb8Ild9V094drC8yHRvuQCxIPCotRXYeA4sgzG5CzeEqz5
yCLib01EIWRfEMQaWG52dd3kh5klRWtzTO451YimNVuSPRJmxCb66HS9VESoAbeg
SS+LUsxgkUfxI5896PSOvEYucWA0fROAeeBGo+a/v9LxO/tcRTO3w0BpmrgMBpAc
U9lGtwXl2Lfef+IzH7flZ0oKfo0O1FoDtlgVUEK6kj6hAJEaXnDDKw==
-----END CERTIFICATE-----
--
Attention: This message and all attachments are private and may contain
information that is confidential and privileged. If you received this message
in error, please notify the sender by reply email and delete the message
immediately.
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
