[stunnel-users] Addendum to Help With Verify = 3

David T. Ashley dta at e3ft.com
Fri Oct 7 06:17:06 CEST 2005


Addendum to my previous e-mail:

It looks like I shot myself in the foot.  I had my my SSH client open
concurrently, and it looks like it was doing the port forwarding (rather
than Stunnel).  In any case, I was able to get connection rejections.  Here
is what I have on the server side:

cert = /usr/local/etc/stunnel/stunnel.pem
key = /usr/local/etc/stunnel/stunnel.pem
CAfile = /usr/local/etc/stunnel/stunnel.pem
verify = 3

Here is what I have on the client side:

cert = stunnel.pem
   #Note that above was copied from the server.
verify = 0
client = yes

And here are the /var/log/secure entries I got when I tried two different
certificates (one right, one wrong).

Oct  7 03:57:09 pamc stunnel[3006]: VERIFY OK: depth=0,
/C=US/ST=Ohio/L=Sandusky/O=Test Company/OU=SMTP/CN=myserver.mydomain
Oct  7 03:57:12 pamc stunnel[3006]: Connection closed: 44 bytes sent to SSL,
6 bytes sent to socket
Oct  7 04:00:05 pamc stunnel[3006]: ssmtp connected from
Oct  7 04:00:05 pamc stunnel[3006]: VERIFY ERROR: depth=0, error=self signed
certificate: /C=PL/O=Stunnel Developers Ltd/CN=localhost
Oct  7 04:00:05 pamc stunnel[3006]: SSL_accept: 140890B2: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Is this looking right?

Is this process as simple as being sure that stunnel.pem on the server
matches stunnel.pem on the client.

Looks like it is working, but is there anything else I need to look out for?

Thanks and best regards, Dave Ashley.

-----Original Message-----
From: stunnel-users-bounces at mirt.net
[mailto:stunnel-users-bounces at mirt.net]On Behalf Of David T. Ashley
Sent: Thursday, October 06, 2005 11:23 PM
To: stunnel-users at mirt.net
Subject: [stunnel-users] Help With Verify = 3


I installed Stunnel 4.12 on a Linux box, and am attempting to use it to
secure SMTP e-mail injection from Windows machines.

I have everything working, and I have a Windows Stunnel client which will
inject mail into a Linux Stunnel server over TCP Port 465.

However, I've been unable to find the right combination of verification
settings to cause the server to refuse connections from clients without the
right certificates.  Right now, I'm able to inject mail if the client has
ANY certificate.

Is there any tutorial on how to generate the keys, .PEM files, and the
Stunnel settings to have the behavior where only MY clients can inject mail?

Thanks and best regards, Dave Ashley.

stunnel-users mailing list
stunnel-users at mirt.net

More information about the stunnel-users mailing list