[stunnel-users] certificate authentications

Sat Jan 21 05:55:50 CET 2012

John,

I guess what you want to do is to verify the server certificate. Please try this:

1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it servercert.pem. 

2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command

openssl x509 -hash -noout -in servercert.pem

Note the command output. That's yourhash. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with.

3. Rename your certfile as yourhash.0, that is the output of the openssl x509 followed by .0

4. Set verify=4 in your stunnel.conf file.

5. Restart stunnel.

If that works, feel free to send me an Amazon Kindle :), Otherwise let me know.

Best Regards,
Jose

________________________________
From: John A. Wallace <jw72253 at verizon.net>
To: stunnel-users at stunnel.org 
Sent: Friday, January 20, 2012 1:51 PM
Subject: Re: [stunnel-users] certificate authentications

Hello.  I want to repost this because I have heard nothing in response although it was posted a few days ago.  I am new to using this group and not certain how long I should expect to wait.  Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too.  Thanks.

John

From:stunnel-users-bounces at stunnel.org [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of John A. Wallace
Sent: Tuesday, January 17, 2012 3:03 AM
To: stunnel-users at stunnel.org
Subject: [stunnel-users] certificate authentications
Importance: High

I have two questions, which I think may be related, regarding how to use the information from stunnel log.  I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:

stunnel 4.50 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011

It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.

In my stunnel log for the connection, I get this message:

Client-mode smtp protocol negotiations started
Client-mode smtp protocol negotiations succeeded
No peer certificate received
SSL connected: new session negotiated
Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1

My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it?  Secondly, when I issue this command at the cmd shell prompt:

               openssl s_client -starttls smtp -connect host.server:port

The output is lengthy and it includes, among other things, clearly what is identified as a certificate.  I have been told that this is a good certificate, and one that I should utilize for an authenticated connection.  So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?  

If someone wants to direct me to the correct instruction for doing this, that would be fine too.  I am just looking for some pointers for assistance.  Thanks.
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120120/91346136/attachment.html>