[stunnel-users] Addendum to Help With Verify = 3

Jan Meijer jan.meijer at surfnet.nl
Fri Oct 7 07:56:51 CEST 2005


On Fri, 7 Oct 2005, David T. Ashley wrote:

> BEGIN**********************
> Oct  7 03:57:09 pamc stunnel[3006]: VERIFY OK: depth=0,
> /C=US/ST=Ohio/L=Sandusky/O=Test Company/OU=SMTP/CN=myserver.mydomain
> Oct  7 03:57:12 pamc stunnel[3006]: Connection closed: 44 bytes sent to SSL,
> 6 bytes sent to socket
> Oct  7 04:00:05 pamc stunnel[3006]: ssmtp connected from 70.226.90.31:1873
> Oct  7 04:00:05 pamc stunnel[3006]: VERIFY ERROR: depth=0, error=self signed
> certificate: /C=PL/O=Stunnel Developers Ltd/CN=localhost
> Oct  7 04:00:05 pamc stunnel[3006]: SSL_accept: 140890B2: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> END************************
>
> Is this looking right?

Not entirely.  I've little time today but will try to help you on your
way.

This says "no certificate returned", right?  You want 'certificate
refused' or something.

Check the CRL section of the manual?  You'll need this to indicate which
certificates are no longer allowed access to the server.  Unless you use
the 'only valid certificates in this path' option.  Take 30 mins to read
the manpage, it'll help :).

http://www.stunnel.org/faq/stunnel.html#global_options

Just browse through the options.

> Is this process as simple as being sure that stunnel.pem on the server
> matches stunnel.pem on the client.
>
> Looks like it is working, but is there anything else I need to look out for?

Outlook can not present a client certificate (known bug).  That might be a
problem (?).  Be sure to test this with Thunderbird.

Jan



More information about the stunnel-users mailing list