Hi,
I installed Stunnel 4.12 on a Linux box, and am attempting to use it to secure SMTP e-mail injection from Windows machines.
I have everything working, and I have a Windows Stunnel client which will inject mail into a Linux Stunnel server over TCP Port 465.
However, I've been unable to find the right combination of verification settings to cause the server to refuse connections from clients without the right certificates. Right now, I'm able to inject mail if the client has ANY certificate.
Is there any tutorial on how to generate the keys, .PEM files, and the Stunnel settings to have the behavior where only MY clients can inject mail?
Thanks and best regards, Dave Ashley.
Hi,
Addendum to my previous e-mail:
It looks like I shot myself in the foot. I had my my SSH client open concurrently, and it looks like it was doing the port forwarding (rather than Stunnel). In any case, I was able to get connection rejections. Here is what I have on the server side:
BEGIN********************** cert = /usr/local/etc/stunnel/stunnel.pem key = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/stunnel.pem verify = 3 END************************
Here is what I have on the client side:
BEGIN********************** cert = stunnel.pem #Note that above was copied from the server. verify = 0 client = yes END************************
And here are the /var/log/secure entries I got when I tried two different certificates (one right, one wrong).
BEGIN********************** Oct 7 03:57:09 pamc stunnel[3006]: VERIFY OK: depth=0, /C=US/ST=Ohio/L=Sandusky/O=Test Company/OU=SMTP/CN=myserver.mydomain Oct 7 03:57:12 pamc stunnel[3006]: Connection closed: 44 bytes sent to SSL, 6 bytes sent to socket Oct 7 04:00:05 pamc stunnel[3006]: ssmtp connected from 70.226.90.31:1873 Oct 7 04:00:05 pamc stunnel[3006]: VERIFY ERROR: depth=0, error=self signed certificate: /C=PL/O=Stunnel Developers Ltd/CN=localhost Oct 7 04:00:05 pamc stunnel[3006]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned END************************
Is this looking right?
Is this process as simple as being sure that stunnel.pem on the server matches stunnel.pem on the client.
Looks like it is working, but is there anything else I need to look out for?
Thanks and best regards, Dave Ashley.
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net]On Behalf Of David T. Ashley Sent: Thursday, October 06, 2005 11:23 PM To: stunnel-users@mirt.net Subject: [stunnel-users] Help With Verify = 3
Hi,
I installed Stunnel 4.12 on a Linux box, and am attempting to use it to secure SMTP e-mail injection from Windows machines.
I have everything working, and I have a Windows Stunnel client which will inject mail into a Linux Stunnel server over TCP Port 465.
However, I've been unable to find the right combination of verification settings to cause the server to refuse connections from clients without the right certificates. Right now, I'm able to inject mail if the client has ANY certificate.
Is there any tutorial on how to generate the keys, .PEM files, and the Stunnel settings to have the behavior where only MY clients can inject mail?
Thanks and best regards, Dave Ashley.
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Fri, 7 Oct 2005, David T. Ashley wrote:
BEGIN********************** Oct 7 03:57:09 pamc stunnel[3006]: VERIFY OK: depth=0, /C=US/ST=Ohio/L=Sandusky/O=Test Company/OU=SMTP/CN=myserver.mydomain Oct 7 03:57:12 pamc stunnel[3006]: Connection closed: 44 bytes sent to SSL, 6 bytes sent to socket Oct 7 04:00:05 pamc stunnel[3006]: ssmtp connected from 70.226.90.31:1873 Oct 7 04:00:05 pamc stunnel[3006]: VERIFY ERROR: depth=0, error=self signed certificate: /C=PL/O=Stunnel Developers Ltd/CN=localhost Oct 7 04:00:05 pamc stunnel[3006]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned END************************
Is this looking right?
Not entirely. I've little time today but will try to help you on your way.
This says "no certificate returned", right? You want 'certificate refused' or something.
Check the CRL section of the manual? You'll need this to indicate which certificates are no longer allowed access to the server. Unless you use the 'only valid certificates in this path' option. Take 30 mins to read the manpage, it'll help :).
http://www.stunnel.org/faq/stunnel.html#global_options
Just browse through the options.
Is this process as simple as being sure that stunnel.pem on the server matches stunnel.pem on the client.
Looks like it is working, but is there anything else I need to look out for?
Outlook can not present a client certificate (known bug). That might be a problem (?). Be sure to test this with Thunderbird.
Jan
-
David T. Ashley -
Jan Meijer