[stunnel-users] Confusion regarding part of stunnel.conf

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Fri Feb 11 21:48:12 CET 2011

On Fri, 2011-02-11 13:23:32 -0600, Dave wrote:
> Is this client certificate you mention one of the certs of the
> server being connected to (is it from "mainserver"? or the CA I
> created?)?  Like, will I have to pass out this cert to any clients I
> know will be connecting, so that they all have it, before they can
> connect at level 2 or 3?  Or is it just something built into the
> software a connecting person is using?

You should create one certificate for each client. In this way you
will be able to revoke certificates for single clients.

It does not matter whether these are self-signed or signed by a CA as
long as stunnel is able to check them against a white list (in case of
self-singed ones) or a black list (in case of the certificates signed
by a CA).

The clients have to configure their mail programs to use this
certificate while connecting to your server.

> I apologize for my ignorance and appreciate your patience, I just
> haven't had to worry about something like this in setting up any
> SSL-secured services before.  For example, with https, as long as
> the web server is configured to serve that protocol, it "just works"
> and you don't have to worry about providing certs to everyone
> connecting to your web site.  (Or perhaps I'm making a leap there,
> and you don't mean above that each client has to have a copy of some
> cert from the server.)  I guess I'm trying to figure out the
> difference between that and this issue with stunnel.

The goal of SSL-securing an HTTP server is to encrypt the conversation
(in order to hide e.g. bank details of the customer on the way to the
server) and to provide a way to authenticate the server (i.e. the
customer shall be given a possibility to ensure the server he
connected to is run by the company he wants to order from).

Thus, HTTP servers usually don't verify client certificates. (The
fact, HTTP users usually don't check the owner of the server
certificate, is an other issue.)

If one would SSL-secure an HTTP server with stunnel, it would usually
run with verify level one or zero (at least for web stores and sites
like that).

In the other hand, if you want to run an SSL-secured POP3 server, it
is essential to authenticate the client. As it is much easier to send
forged e-mails than to set up a forged POP3 server, it is not that
interesting to authenticate the server.

So if you SSL-secure a POP3 server with stunnel, it should run with
verify level two or three to force the clients to authenticate




Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list