Re: [stunnel-users] Verify = 4 Fails Yet Again

[Thomas Eifert]

Mike,

Thanks, I tried it.  I suspect they may have routed you to a different 
server, because I'm not getting an expired certificate.
Here's the one I just pulled up using your openssl command:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:43:47:42:bb:5b:18:f5:9b:64:83:6d:7c:97:9c:d6
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert 
High Assurance CA-3
        Validity
            Not Before: Jun  3 00:00:00 2013 GMT
            Not After : Aug 10 12:00:00 2016 GMT
        Subject: C=US, ST=California, L=Escondido, O=Forte Internet 
Software, Inc., OU=IT, CN=*.forteinc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:f1:76:45:cd:ce:a4:74:9b:7c:58:c0:72:73:
                    85:4f:c3:b4:6e:e0:96:7a:3f:e0:32:65:77:0b:34:
                    0f:e1:4a:28:74:5d:eb:39:7c:68:f0:ee:80:53:c9:
                    42:56:89:cf:c5:21:ed:fd:ec:02:a4:8c:cf:16:1a:
                    d1:fb:d0:49:ce:bf:70:73:00:7c:ef:e5:fb:5d:84:
                    6e:94:b2:42:66:65:5e:ca:a6:89:0a:6a:8f:8c:e8:
                    0b:4b:d3:22:f2:5d:30:d7:5c:5d:1c:ed:d7:14:c2:
                    64:3d:96:ed:8b:22:fc:aa:30:2a:39:44:d8:da:34:
                    73:e8:1b:ea:6a:c5:74:8d:e2:64:a3:91:2c:54:b1:
                    6e:b6:a7:af:aa:13:eb:89:18:13:fd:1d:6d:78:0c:
                    6c:c4:f8:e0:54:7c:1f:e7:a0:2e:b7:a8:c5:a3:60:
                    83:96:99:15:ff:ac:80:bc:1f:a3:72:14:15:a5:2b:
                    45:f4:c9:49:31:6e:47:39:a3:f7:fd:0e:20:a1:08:
                    2b:f3:2b:b4:54:22:26:5f:0f:10:4a:29:0e:15:66:
                    af:3e:70:81:c8:84:7c:db:ce:20:e3:d8:9e:d3:c2:
                    3d:9b:55:e2:f4:e7:61:3b:12:34:f1:46:f6:08:12:
                    4c:9a:53:62:48:6e:f7:0b:28:3c:c9:d4:7e:6f:1f:
                    1a:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7

            X509v3 Subject Key Identifier:
C2:02:C4:6A:CF:E9:3F:BA:CC:51:FA:4C:5C:FA:E4:1C:48:38:49:67
            X509v3 Subject Alternative Name:
                DNS:*.forteinc.com, DNS:forteinc.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client 
Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/ca3-g22.crl

                Full Name:
                  URI:http://crl4.digicert.com/ca3-g22.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114412.1.1
                  CPS: http://www.digicert.com/ssl-cps-repository.htm
                  User Notice:
                    Explicit Text:

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - 
URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
         7d:a4:1d:b0:06:6e:79:47:69:4d:af:f7:4c:1a:46:3e:52:91:
         8a:2a:e5:01:39:38:90:b8:29:93:4f:11:ef:78:44:b1:b0:37:
         2c:80:91:03:94:5b:7e:f0:46:67:9e:b4:df:51:e1:af:1c:d4:
         f1:98:48:f2:ae:24:2a:22:db:61:ac:29:47:0f:5b:cf:19:57:
         df:91:96:e4:cc:2e:66:24:13:63:47:8b:e3:95:76:2f:5e:d8:
         6b:e4:22:d7:ec:d8:48:0b:c0:66:b9:02:d8:81:97:52:e5:7e:
         b2:ea:7e:59:0f:27:c7:e0:3e:1c:4d:1a:18:15:b0:0a:8c:da:
         f2:a6:eb:6c:57:3c:e8:3a:cf:29:a1:81:ab:26:a7:49:23:50:
         04:33:a0:27:3a:23:83:a7:68:df:5a:a7:ac:33:9c:fd:28:3d:
         7d:c9:12:3a:d0:53:14:ed:c3:aa:0c:af:d1:48:9a:6a:29:9c:
         40:4d:ce:3a:a1:1e:89:a9:d0:ed:11:04:d9:72:17:f7:a7:76:
         89:1a:79:7d:5c:4c:8f:1f:52:09:f6:83:df:50:c8:a2:04:db:
         62:6a:f0:ef:ed:ca:10:f8:14:f1:03:67:d5:10:33:8c:f5:24:
         49:9c:6f:70:ef:17:fd:7b:9e:bf:0d:a4:a8:7f:6e:67:b7:65:
         c7:b7:3a:08
-----BEGIN CERTIFICATE-----
MIIGyTCCBbGgAwIBAgIQC0NHQrtbGPWbZINtfJec1jANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDYwMzAwMDAwMFoXDTE2MDgxMDEyMDAwMFowgYQxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlFc2NvbmRpZG8x
JjAkBgNVBAoTHUZvcnRlIEludGVybmV0IFNvZnR3YXJlLCBJbmMuMQswCQYDVQQL
EwJJVDEXMBUGA1UEAwwOKi5mb3J0ZWluYy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDZ8XZFzc6kdJt8WMByc4VPw7Ru4JZ6P+AyZXcLNA/hSih0
Xes5fGjw7oBTyUJWic/FIe397AKkjM8WGtH70EnOv3BzAHzv5ftdhG6UskJmZV7K
pokKao+M6AtL0yLyXTDXXF0c7dcUwmQ9lu2LIvyqMCo5RNjaNHPoG+pqxXSN4mSj
kSxUsW62p6+qE+uJGBP9HW14DGzE+OBUfB/noC63qMWjYIOWmRX/rIC8H6NyFBWl
K0X0yUkxbkc5o/f9DiChCCvzK7RUIiZfDxBKKQ4VZq8+cIHIhHzbziDj2J7Twj2b
VeL052E7EjTxRvYIEkyaU2JIbvcLKDzJ1H5vHxpTAgMBAAGjggNSMIIDTjAfBgNV
HSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD9zAdBgNVHQ4EFgQUwgLEas/pP7rM
UfpMXPrkHEg4SWcwJwYDVR0RBCAwHoIOKi5mb3J0ZWluYy5jb22CDGZvcnRlaW5j
LmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9j
YTMtZzIyLmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1n
MjIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgBhv1sAQEwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRv
cnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm
ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp
AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg
AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg
AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg
AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu
AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp
AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAC
hjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJh
bmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAfaQd
sAZueUdpTa/3TBpGPlKRiirlATk4kLgpk08R73hEsbA3LICRA5RbfvBGZ56031Hh
rxzU8ZhI8q4kKiLbYawpRw9bzxlX35GW5MwuZiQTY0eL45V2L17Ya+Qi1+zYSAvA
ZrkC2IGXUuV+sup+WQ8nx+A+HE0aGBWwCoza8qbrbFc86DrPKaGBqyanSSNQBDOg
Jzojg6do31qnrDOc/Sg9fckSOtBTFO3Dqgyv0UiaaimcQE3OOqEeianQ7REE2XIX
96d2iRp5fVxMjx9SCfaD31DIogTbYmrw7+3KEPgU8QNn1RAzjPUkSZxvcO8X/Xue
vw2kqH9uZ7dlx7c6CA==
-----END CERTIFICATE-----

This is the same certificate I've posted previously, and it's the one 
that fails to verify.

Regards,

Thomas

On 10/25/2013 4:04 AM, Michal Trojnara wrote:
On 10/25/2013 08:19 AM, Thomas Eifert wrote:
How would I access/save the expired certificate that you posted?

Thanks again,

Thomas


On 10/25/2013 12:17 AM, Michal Trojnara wrote:

Now I could reproduce it and the solution was trivial: your news80 
host was configured to use a different (older) certificate.

$ openssl s_client -connect news80.forteinc.com:443 2>/dev/null | 
openssl x509 -text 

You can access/save the expired certificate with "openssl s_client 
-connect news80.forteinc.com:443".  This is how I did it.

Mike
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


--
Attention: This message and all attachments are private and may contain 
information that is confidential and privileged. If you received this message 
in error, please notify the sender by reply email and delete the message 
immediately.

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users