I think it should work, * should match homie
1. connected with "openssl s_client -connect mail.neroon.com:995", pasted cert to dreamhost.pem
2. used this -----------stunnel.conf------------- debug=7 client = yes
[pop3] accept = 110 connect = homie.mail.dreamhost.com:995 verify=1 CAfile=c:\temp\dreamhost.pem -----------stunnel.conf-------------
3. connect to localost:110, got "unable to get local issuer certificate
2009.12.29 16:04:25 LOG7[3044:5700]: Snagged 64 random bytes from C:/.rnd 2009.12.29 16:04:25 LOG7[3044:5700]: Wrote 0 new random bytes to C:/.rnd 2009.12.29 16:04:25 LOG7[3044:5700]: RAND_status claims sufficient entropy for the PRNG 2009.12.29 16:04:25 LOG7[3044:5700]: PRNG seeded successfully 2009.12.29 16:04:25 LOG7[3044:5700]: Loaded verify certificates from c:\temp\dreamhost.pem 2009.12.29 16:04:25 LOG7[3044:5700]: Loaded c:\temp\dreamhost.pem revocation lookup file 2009.12.29 16:04:25 LOG7[3044:5700]: SSL context initialized for service pop3 2009.12.29 16:04:25 LOG5[3044:5700]: stunnel 4.29 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009 2009.12.29 16:04:25 LOG5[3044:5700]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2009.12.29 16:04:25 LOG5[3044:4320]: No limit detected for the number of clients 2009.12.29 16:04:25 LOG7[3044:4320]: FD 1832 in non-blocking mode 2009.12.29 16:04:25 LOG7[3044:4320]: SO_REUSEADDR option set on accept socket 2009.12.29 16:04:25 LOG7[3044:4320]: pop3 bound to 0.0.0.0:110 2009.12.29 16:04:40 LOG7[3044:4320]: pop3 accepted FD=1808 from 127.0.0.1:3257 2009.12.29 16:04:40 LOG7[3044:4320]: Creating a new thread 2009.12.29 16:04:40 LOG7[3044:4320]: New thread created 2009.12.29 16:04:40 LOG7[3044:2340]: pop3 started 2009.12.29 16:04:40 LOG7[3044:2340]: FD 1808 in non-blocking mode 2009.12.29 16:04:40 LOG5[3044:2340]: pop3 accepted connection from 127.0.0.1:3257 2009.12.29 16:04:40 LOG7[3044:2340]: FD 1768 in non-blocking mode 2009.12.29 16:04:40 LOG6[3044:2340]: connect_blocking: connecting 208.97.132.208:995 2009.12.29 16:04:40 LOG7[3044:2340]: connect_blocking: s_poll_wait 208.97.132.208:995: waiting 10 seconds 2009.12.29 16:04:40 LOG5[3044:2340]: connect_blocking: connected 208.97.132.208:995 2009.12.29 16:04:40 LOG5[3044:2340]: pop3 connected remote server from 192.168.0.2:3258 2009.12.29 16:04:40 LOG7[3044:2340]: Remote FD=1768 initialized 2009.12.29 16:04:40 LOG7[3044:2340]: SSL state (connect): before/connect initialization 2009.12.29 16:04:40 LOG7[3044:2340]: SSL state (connect): SSLv3 write client hello A 2009.12.29 16:04:40 LOG7[3044:2340]: SSL state (connect): SSLv3 read server hello A 2009.12.29 16:04:40 LOG4[3044:2340]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=California/L=Brea/O=Dreamhost.com/OU=Security/CN=*.mail.dreamhost.com/emailAddress=support@dreamhost.com 2009.12.29 16:04:40 LOG7[3044:2340]: SSL alert (write): fatal: bad certificate 2009.12.29 16:04:40 LOG3[3044:2340]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2009.12.29 16:04:40 LOG5[3044:2340]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2009.12.29 16:04:40 LOG7[3044:2340]: pop3 finished (0 left)
Carsten Krüger wrote in a great report:
I think it should work, * should match homie
It doesn't matter. Stunnel does not attempt to perform any DNS checks.
- connected with "openssl s_client -connect mail.neroon.com:995", pasted
cert to dreamhost.pem
For some reason OpenSSL is not able to authenticate against this certificate:
$ openssl s_client -verify 1 -CAfile dreamhost.pem -connect mail.neroon.com:995 2>&1 | head -4 verify depth is 1 depth=0 /C=US/ST=California/L=Brea/O=Dreamhost.com/OU=Security/CN=*.mail.dreamhost.com/emailAddress=support@dreamhost.com verify error:num=20:unable to get local issuer certificate verify return:1
s_client tool is intended for testing only, so it displays the error and than ignores it. See the manual for details.
I guess there is either something wrong with the certificate or with OpenSSL.
Best regards, Mike
-
Carsten Krüger -
Michal Trojnara