<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:12pt"><div style="RIGHT: auto"><SPAN style="RIGHT: auto">John,</SPAN></div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN> </div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto">I guess what you want to do is to verify the server certificate. Please try <VAR id=yui-ie-cursor></VAR>this:</SPAN></div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN> </div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto">1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it <EM style="RIGHT: auto">servercert.pem. </EM></SPAN></div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN> </div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN><SPAN style="RIGHT: auto">2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command</SPAN></div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN> </div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto">openssl x509 -hash -noout -in <EM>servercert.pem</EM></SPAN><SPAN style="RIGHT: auto"></SPAN></div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">Note the command output. That's <EM>yourhash</EM>. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with.</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">3. Rename your certfile as <EM>yourhash.0</EM>, that is the output of the openssl x509 followed by .0</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">4. Set verify=4 in your stunnel.conf file.</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">5. Restart stunnel.</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">If that works, feel free to send me an Amazon Kindle :), Otherwise let me know.</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">Best Regards,</div>
<div style="RIGHT: auto">Jose</div>
<div style="RIGHT: auto"> </div>
<DIV style="FONT-FAMILY: bookman old style, new york, times, serif; FONT-SIZE: 12pt">
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">
<DIV style="RIGHT: auto" dir=ltr><FONT size=2 face=Arial>
<DIV style="BORDER-BOTTOM: #ccc 1px solid; BORDER-LEFT: #ccc 1px solid; PADDING-BOTTOM: 0px; LINE-HEIGHT: 0; MARGIN: 5px 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; HEIGHT: 0px; FONT-SIZE: 0px; BORDER-TOP: #ccc 1px solid; BORDER-RIGHT: #ccc 1px solid; PADDING-TOP: 0px" class=hr contentEditable=false readonly="true"></DIV><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> John A. Wallace <jw72253@verizon.net><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> stunnel-users@stunnel.org <BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Friday, January 20, 2012 1:51 PM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [stunnel-users] certificate authentications<BR></FONT></DIV><BR>
<DIV id=yiv155252287>
<STYLE><!--
#yiv155252287
_filtered #yiv155252287 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv155252287 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
_filtered #yiv155252287 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}
#yiv155252287
#yiv155252287 p.yiv155252287MsoNormal, #yiv155252287 li.yiv155252287MsoNormal, #yiv155252287 div.yiv155252287MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"sans-serif";}
#yiv155252287 a:link, #yiv155252287 span.yiv155252287MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv155252287 a:visited, #yiv155252287 span.yiv155252287MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv155252287 pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;font-family:"Courier New";}
#yiv155252287 span.yiv155252287HTMLPreformattedChar
{font-family:"Courier New";}
#yiv155252287 span.yiv155252287EmailStyle19
{font-family:"sans-serif";color:windowtext;}
#yiv155252287 span.yiv155252287EmailStyle20
{font-family:"sans-serif";color:#1F497D;}
#yiv155252287 .yiv155252287MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv155252287 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv155252287 div.yiv155252287WordSection1
{}
--></STYLE>
<DIV>
<DIV class=yiv155252287WordSection1>
<div class=yiv155252287MsoNormal><FONT color=#1f497d size=2 face=Calibri><SPAN style="COLOR: #1f497d; FONT-SIZE: 11pt">Hello. I want to repost this because I have heard nothing in response although it was posted a few days ago. I am new to using this group and not certain how long I should expect to wait. Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too. Thanks.</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT color=#1f497d size=2 face=Calibri><SPAN style="COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT color=#1f497d size=2 face=Calibri><SPAN style="COLOR: #1f497d; FONT-SIZE: 11pt">John</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT color=#1f497d size=2 face=Calibri><SPAN style="COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT color=#1f497d size=2 face=Calibri><SPAN style="COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></FONT></div>
<DIV style="BORDER-BOTTOM: medium none; BORDER-LEFT: blue 1.5pt solid; PADDING-BOTTOM: 0in; PADDING-LEFT: 4pt; PADDING-RIGHT: 0in; BORDER-TOP: medium none; BORDER-RIGHT: medium none; PADDING-TOP: 0in">
<DIV>
<DIV style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<div class=yiv155252287MsoNormal><B><FONT size=2 face=Tahoma><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt; FONT-WEIGHT: bold">From:</SPAN></FONT></B><FONT size=2 face=Tahoma><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>John A. Wallace<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Tuesday, January 17, 2012 3:03 AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> stunnel-users@stunnel.org<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> [stunnel-users] certificate authentications<BR><B><SPAN style="FONT-WEIGHT: bold">Importance:</SPAN></B> High</SPAN></FONT></div></DIV></DIV>
<div class=yiv155252287MsoNormal><FONT size=2 face=Calibri><SPAN style="FONT-SIZE: 11pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt">I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">stunnel 4.50 on x86-pc-mingw32-gnu platform</SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt">It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt">In my stunnel log for the connection, I get this message:</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">Client-mode smtp protocol negotiations started</SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">Client-mode smtp protocol negotiations succeeded</SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">No peer certificate received</SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">SSL connected: new session negotiated</SPAN></FONT></div>
<div style="TEXT-INDENT: 0.5in" class=yiv155252287MsoNormal><FONT size=2 face="Courier New"><SPAN style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt">Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt">My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt:</SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div><PRE><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT>openssl s_client -starttls smtp -connect host.server:port</PRE><PRE><FONT size=2 face="Courier New"><SPAN style="FONT-SIZE: 10pt"> </SPAN></FONT></PRE>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt">The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name? </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt"> </SPAN></FONT></div>
<div class=yiv155252287MsoNormal><FONT size=2 face=Arial><SPAN style="FONT-FAMILY: 'sans-serif'; FONT-SIZE: 10pt">If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks.</SPAN></FONT></div></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>stunnel-users mailing list<BR><A href="mailto:stunnel-users@stunnel.org" ymailto="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</A><BR><A href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target=_blank>http://stunnel.mirt.net/mailman/listinfo/stunnel-users</A><BR><BR><BR></DIV></DIV></div></body></html>