[stunnel-users] certificate authentications

John A. Wallace jw72253 at verizon.net
Sat Jan 21 19:11:53 CET 2012



Thanks, again; and thanks for the offer, but I believe I have the most recent binary of Stunnel: “stunnel 4.50 on x86-pc-mingw32-gnu platform”.  It looks like there is now a gcc 4.4.6 available too.  Take care.  :-)





From: josealf at rocketmail.com [mailto:josealf at rocketmail.com] 
Sent: Saturday, January 21, 2012 11:30 AM
To: John A. Wallace; stunnel-users at stunnel.org
Subject: Re: [stunnel-users] certificate authentications



Glad it worked. Yes, the option to save peer certificates in recent stunnel versions works. I though about mentioning it, but I left that out, as I wasn't sure you were on Windows. In any case, you need to rename the certificate file.

BTW, I can supply you binaries of stunnel and the corresponding openssl toolkit (.exe and .dlls) compiled with gcc 4.4.4 with no trojan code :) 




From: "John A. Wallace" <jw72253 at verizon.net> 

Date: Sat, 21 Jan 2012 10:55:31 -0600

To: 'Jose Alf.'<josealf at rocketmail.com>; <stunnel-users at stunnel.org>

Subject: RE: [stunnel-users] certificate authentications




Outstanding reply!  This was even better than I hoped for.  Your cautionary advice about the correct OpenSSL version was especially helpful to the effective outcome, as sure enough the OpenSSL that I have installed currently is the newest release but the most current Windows binary of Stunnel has one that is older, and the difference in them corresponds exactly to that which you noted, namely, as .9x and 1.0x hash changes.  I will be sure to use the same OpenSSL that came alone with Stunnel instead of the standalone version.


I do have one question now related to the retrieval of certs in Stunnel. It looks like there is a context menu with a right-click option to import a certificate, using the tray icon.  I was wondering how that would work as compared to the manual method you described?  When I look at the option it appears to be grayed out, but it may be that I have not selected it at the appropriate time.  Muchas gracias.





From: Jose Alf. [mailto:josealf at rocketmail.com] 
Sent: Friday, January 20, 2012 10:56 PM
To: John A. Wallace; stunnel-users at stunnel.org
Subject: Re: [stunnel-users] certificate authentications




I guess what you want to do is to verify the server certificate. Please try this:


1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it servercert.pem. 


2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command


openssl x509 -hash -noout -in servercert.pem


Note the command output. That's yourhash. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with.


3. Rename your certfile as yourhash.0, that is the output of the openssl x509 followed by .0


4. Set verify=4 in your stunnel.conf file.


5. Restart stunnel.


If that works, feel free to send me an Amazon Kindle :), Otherwise let me know.


Best Regards,



From: John A. Wallace <jw72253 at verizon.net>
To: stunnel-users at stunnel.org 
Sent: Friday, January 20, 2012 1:51 PM
Subject: Re: [stunnel-users] certificate authentications


Hello.  I want to repost this because I have heard nothing in response although it was posted a few days ago.  I am new to using this group and not certain how long I should expect to wait.  Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too.  Thanks.





From: stunnel-users-bounces at stunnel.org [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of John A. Wallace
Sent: Tuesday, January 17, 2012 3:03 AM
To: stunnel-users at stunnel.org
Subject: [stunnel-users] certificate authentications
Importance: High


I have two questions, which I think may be related, regarding how to use the information from stunnel log.  I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:


stunnel 4.50 on x86-pc-mingw32-gnu platform

Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011


It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.


In my stunnel log for the connection, I get this message:


Client-mode smtp protocol negotiations started

Client-mode smtp protocol negotiations succeeded

No peer certificate received

SSL connected: new session negotiated

Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1


My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it?  Secondly, when I issue this command at the cmd shell prompt:


               openssl s_client -starttls smtp -connect host.server:port

The output is lengthy and it includes, among other things, clearly what is identified as a certificate.  I have been told that this is a good certificate, and one that I should utilize for an authenticated connection.  So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?  


If someone wants to direct me to the correct instruction for doing this, that would be fine too.  I am just looking for some pointers for assistance.  Thanks.

stunnel-users mailing list
stunnel-users at stunnel.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120121/18197ebd/attachment.html>

More information about the stunnel-users mailing list