Hi,
Addendum to my previous e-mail:
It looks like I shot myself in the foot. I had my my SSH client open concurrently, and it looks like it was doing the port forwarding (rather than Stunnel). In any case, I was able to get connection rejections. Here is what I have on the server side:
BEGIN********************** cert = /usr/local/etc/stunnel/stunnel.pem key = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/stunnel.pem verify = 3 END************************
Here is what I have on the client side:
BEGIN********************** cert = stunnel.pem #Note that above was copied from the server. verify = 0 client = yes END************************
And here are the /var/log/secure entries I got when I tried two different certificates (one right, one wrong).
BEGIN********************** Oct 7 03:57:09 pamc stunnel[3006]: VERIFY OK: depth=0, /C=US/ST=Ohio/L=Sandusky/O=Test Company/OU=SMTP/CN=myserver.mydomain Oct 7 03:57:12 pamc stunnel[3006]: Connection closed: 44 bytes sent to SSL, 6 bytes sent to socket Oct 7 04:00:05 pamc stunnel[3006]: ssmtp connected from 70.226.90.31:1873 Oct 7 04:00:05 pamc stunnel[3006]: VERIFY ERROR: depth=0, error=self signed certificate: /C=PL/O=Stunnel Developers Ltd/CN=localhost Oct 7 04:00:05 pamc stunnel[3006]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned END************************
Is this looking right?
Is this process as simple as being sure that stunnel.pem on the server matches stunnel.pem on the client.
Looks like it is working, but is there anything else I need to look out for?
Thanks and best regards, Dave Ashley.
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net]On Behalf Of David T. Ashley Sent: Thursday, October 06, 2005 11:23 PM To: stunnel-users@mirt.net Subject: [stunnel-users] Help With Verify = 3
Hi,
I installed Stunnel 4.12 on a Linux box, and am attempting to use it to secure SMTP e-mail injection from Windows machines.
I have everything working, and I have a Windows Stunnel client which will inject mail into a Linux Stunnel server over TCP Port 465.
However, I've been unable to find the right combination of verification settings to cause the server to refuse connections from clients without the right certificates. Right now, I'm able to inject mail if the client has ANY certificate.
Is there any tutorial on how to generate the keys, .PEM files, and the Stunnel settings to have the behavior where only MY clients can inject mail?
Thanks and best regards, Dave Ashley.
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users