-------- Forwarded Message
--------
On 8/7/24 6:13 PM, Brett Lymn wrote:
On Tue, Aug 06, 2024 at 10:01:06AM -0400,
Jason Mitchell wrote:
Unfortunately, what doesn’t work for me
is:
NetBSD-10.0/stunnel 5.71 (or 5.72)
It looks like stunnel is trying verify its certificate and
something in the
response causes it to crash. Here’s a snippet of the output
right before the
segfault:
2024.08.04 13:47:35 LOG7[0]: SNI: no virtual services defined
2024.08.04 13:47:35 LOG7[0]: OCSP stapling: Server callback
called
2024.08.04 13:47:35 LOG6[0]: OCSP: The root CA certificate was
not found
2024.08.04 13:47:35 LOG5[0]: OCSP: Connecting the AIA
responder
"http://e5.o.lencr.org"
Segmentation fault (core dumped)
No suggestions but I can confirm that stunnel 5.71 on an oldish
post 10
-current works for me using certificates. Maybe the cert is
broken in
some way? What does:
openssl x509 -in cert_file_here -text
say?
Brett,
Thanks for the info and for responding. For the lets encrypt
certificate the openssl comand just prints the base64 pem file.
For the sectigo certificate it prints all the info about it in
human readable form (included below)
If you don't mind me asking, do you know if your clients are
using OCSP? ncat --ssl host 993 doesn't cause the segfault,
strangely enough. Also, is yours a wildcard certificate or a
certificate for a single host? And is it self signed? Finally,
what version of OpenSSL are you using?
Sorry for all the questions. Thanks again!
Jason M.
Output from openssl x509 -in cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:6e:a2:1a:3a:da:8c:66:f5:bd:0e:1f:23:31:0b:6f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O =
Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server
CA
Validity
Not Before: Apr 6 00:00:00 2021 GMT
Not After : May 7 23:59:59 2022 GMT
Subject: CN = *.bigjar.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:98:08:ea:18:6c:78:fe:92:58:f3:9d:20:82:4d:
ff:7b:26:bc:cc:24:ad:bf:c3:ca:0b:3e:62:be:31:
d8:f8:23:5b:56:3a:08:88:77:a1:48:9f:38:9c:a4:
d6:85:1d:b5:2a:03:8a:a1:1c:0c:dd:1b:62:71:02:
87:97:9b:1e:c1:27:2f:e1:ac:00:b8:37:51:56:c3:
1d:ff:d9:1f:e7:b4:fd:37:5c:8c:5a:83:ec:85:fc:
a8:cc:a7:91:ce:b0:05:bc:d2:12:9e:b1:99:3d:ed:
d6:46:f6:b9:db:99:d2:cd:c8:88:96:28:c0:da:b2:
d9:52:23:db:51:e0:d8:7d:01:09:67:88:42:70:48:
16:df:ac:94:2a:cc:8f:b3:24:bf:e4:5d:25:cb:1a:
7d:52:2b:10:55:65:e9:7d:23:7d:03:53:49:7c:51:
fa:69:61:0e:78:a9:2f:3d:b5:2f:0e:79:87:c8:5f:
7c:05:5b:8f:8d:15:56:75:1b:b5:84:44:92:15:af:
46:2d:cf:62:ac:ec:c8:bc:ec:ba:f9:59:62:01:eb:
83:57:66:6c:23:84:49:c0:05:ae:bc:86:a3:47:dd:
57:e3:ee:ef:c8:1b:5a:d4:4a:99:a6:a1:c1:bc:2d:
93:fd:7d:a5:23:89:66:73:c9:cb:6b:57:d7:00:2b:
d9:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Subject Key Identifier:
7C:4B:E2:49:C1:DD:CF:2D:FC:0B:EE:E8:F5:C4:F9:46:C1:11:88:51
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS:
https://sectigo.com/CPS
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers -
URI:
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:
http://ocsp.sectigo.com
X509v3 Subject Alternative Name:
DNS:*.bigjar.com, DNS:bigjar.com
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
Timestamp : Apr 6 19:45:19.595 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:B1:22:98:F0:FF:3A:1C:F0:64:AD:EB:
F0:78:35:7C:63:FF:72:A9:26:6E:15:29:F6:5D:11:DE:
6C:AD:08:E4:B6:02:20:73:83:5D:B9:07:5D:E6:2D:34:
BD:05:74:46:AD:CF:A1:67:2B:72:13:36:75:1B:8F:A5:
C2:95:DB:A5:4B:B6:19
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
Timestamp : Apr 6 19:45:19.604 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DD:26:5B:9A:47:37:86:A0:2B:0A:64:
7B:71:F9:12:DF:78:D5:F4:88:60:8F:68:9C:3C:3F:16:
A4:DA:5D:1D:32:02:21:00:B5:64:26:4F:D5:C8:86:48:
D3:C4:B3:33:1D:8B:97:C1:63:F4:6D:25:B5:A0:7A:EC:
32:2C:3B:33:6C:D5:85:3B
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1d:b1:f4:38:0d:b0:f8:7e:f2:b5:8b:99:51:f1:4c:b4:92:8a:
e0:54:71:1c:ba:7b:b3:0a:8c:e1:7a:50:dc:6a:fd:ba:07:93:
55:9a:e1:61:8b:86:89:14:29:0d:e4:b2:60:a2:f8:b5:80:b0:
49:3f:f9:f0:3e:ba:64:9c:ef:89:ad:d6:99:ab:35:0c:9b:e2:
76:c6:b8:93:66:5b:7d:69:85:e0:d1:17:c4:18:b3:a3:8c:eb:
5f:a1:f8:59:e2:18:9f:39:b5:4b:d3:14:ea:44:a1:16:68:7d:
24:07:2b:38:80:63:45:dc:e8:73:b1:ff:c7:d0:50:d9:3c:1b:
24:1b:39:d2:f3:38:66:3b:f5:8a:79:c2:92:9c:57:95:36:e1:
6c:33:cd:88:79:49:82:b4:f3:f2:e4:ca:67:c2:1b:fe:14:49:
d0:b7:3f:e1:13:68:c2:54:b5:30:e0:d0:ba:03:bd:7b:39:e8:
89:b7:b3:4f:6e:f6:52:de:45:01:16:4a:14:71:73:89:3b:fd:
66:51:d2:cf:a6:a9:8e:63:89:67:26:d9:20:c6:2e:bd:60:24:
bc:4b:0e:da:47:0e:f5:e0:ff:67:31:2d:56:bc:75:68:5f:37:
b8:a6:fc:50:23:8b:8e:c6:8b:46:57:7d:fe:6c:21:7a:3c:7a:
a5:7b:00:f5
-----BEGIN CERTIFICATE-----