I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:
stunnel 4.50 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011
It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.
In my stunnel log for the connection, I get this message:
Client-mode smtp protocol negotiations started
Client-mode smtp protocol negotiations succeeded
No peer certificate received
SSL connected: new session negotiated
Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
My first question is, how should I go about getting that "No peer certificate received" issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt:
openssl s_client -starttls smtp -connect host.server:port
The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the "peer certificate", and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?
If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks.
Hello. I want to repost this because I have heard nothing in response although it was posted a few days ago. I am new to using this group and not certain how long I should expect to wait. Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too. Thanks.
John
From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of John A. Wallace Sent: Tuesday, January 17, 2012 3:03 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] certificate authentications Importance: High
I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:
stunnel 4.50 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011
It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.
In my stunnel log for the connection, I get this message:
Client-mode smtp protocol negotiations started
Client-mode smtp protocol negotiations succeeded
No peer certificate received
SSL connected: new session negotiated
Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
My first question is, how should I go about getting that "No peer certificate received" issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt:
openssl s_client -starttls smtp -connect host.server:port
The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the "peer certificate", and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?
If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks.
John, I guess what you want to do is to verify the server certificate. Please try this: 1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it servercert.pem. 2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command openssl x509 -hash -noout -in servercert.pem Note the command output. That's yourhash. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with. 3. Rename your certfile as yourhash.0, that is the output of the openssl x509 followed by .0 4. Set verify=4 in your stunnel.conf file. 5. Restart stunnel. If that works, feel free to send me an Amazon Kindle :), Otherwise let me know. Best Regards, Jose
________________________________ From: John A. Wallace jw72253@verizon.net To: stunnel-users@stunnel.org Sent: Friday, January 20, 2012 1:51 PM Subject: Re: [stunnel-users] certificate authentications
Hello. I want to repost this because I have heard nothing in response although it was posted a few days ago. I am new to using this group and not certain how long I should expect to wait. Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too. Thanks. John From:stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of John A. Wallace Sent: Tuesday, January 17, 2012 3:03 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] certificate authentications Importance: High I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this: stunnel 4.50 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011 It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen. In my stunnel log for the connection, I get this message: Client-mode smtp protocol negotiations started Client-mode smtp protocol negotiations succeeded No peer certificate received SSL connected: new session negotiated Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt: openssl s_client -starttls smtp -connect host.server:port The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name? If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Jose,
Outstanding reply! This was even better than I hoped for. Your cautionary advice about the correct OpenSSL version was especially helpful to the effective outcome, as sure enough the OpenSSL that I have installed currently is the newest release but the most current Windows binary of Stunnel has one that is older, and the difference in them corresponds exactly to that which you noted, namely, as .9x and 1.0x hash changes. I will be sure to use the same OpenSSL that came alone with Stunnel instead of the standalone version.
I do have one question now related to the retrieval of certs in Stunnel. It looks like there is a context menu with a right-click option to import a certificate, using the tray icon. I was wondering how that would work as compared to the manual method you described? When I look at the option it appears to be grayed out, but it may be that I have not selected it at the appropriate time. Muchas gracias.
John
From: Jose Alf. [mailto:josealf@rocketmail.com] Sent: Friday, January 20, 2012 10:56 PM To: John A. Wallace; stunnel-users@stunnel.org Subject: Re: [stunnel-users] certificate authentications
John,
I guess what you want to do is to verify the server certificate. Please try this:
1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it servercert.pem.
2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command
openssl x509 -hash -noout -in servercert.pem
Note the command output. That's yourhash. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with.
3. Rename your certfile as yourhash.0, that is the output of the openssl x509 followed by .0
4. Set verify=4 in your stunnel.conf file.
5. Restart stunnel.
If that works, feel free to send me an Amazon Kindle :), Otherwise let me know.
Best Regards,
Jose
From: John A. Wallace jw72253@verizon.net To: stunnel-users@stunnel.org Sent: Friday, January 20, 2012 1:51 PM Subject: Re: [stunnel-users] certificate authentications
Hello. I want to repost this because I have heard nothing in response although it was posted a few days ago. I am new to using this group and not certain how long I should expect to wait. Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too. Thanks.
John
From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of John A. Wallace Sent: Tuesday, January 17, 2012 3:03 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] certificate authentications Importance: High
I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:
stunnel 4.50 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011
It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.
In my stunnel log for the connection, I get this message:
Client-mode smtp protocol negotiations started
Client-mode smtp protocol negotiations succeeded
No peer certificate received
SSL connected: new session negotiated
Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt:
openssl s_client -starttls smtp -connect host.server:port
The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?
If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
John,
Glad it worked. Yes, the option to save peer certificates in recent stunnel versions works. I though about mentioning it, but I left that out, as I wasn't sure you were on Windows. In any case, you need to rename the certificate file.
BTW, I can supply you binaries of stunnel and the corresponding openssl toolkit (.exe and .dlls) compiled with gcc 4.4.4 with no trojan code :)
Regards,
Jose -----Original Message----- From: "John A. Wallace" jw72253@verizon.net Date: Sat, 21 Jan 2012 10:55:31 To: 'Jose Alf.'josealf@rocketmail.com; stunnel-users@stunnel.org Subject: RE: [stunnel-users] certificate authentications
Jose,
Outstanding reply! This was even better than I hoped for. Your cautionary advice about the correct OpenSSL version was especially helpful to the effective outcome, as sure enough the OpenSSL that I have installed currently is the newest release but the most current Windows binary of Stunnel has one that is older, and the difference in them corresponds exactly to that which you noted, namely, as .9x and 1.0x hash changes. I will be sure to use the same OpenSSL that came alone with Stunnel instead of the standalone version.
I do have one question now related to the retrieval of certs in Stunnel. It looks like there is a context menu with a right-click option to import a certificate, using the tray icon. I was wondering how that would work as compared to the manual method you described? When I look at the option it appears to be grayed out, but it may be that I have not selected it at the appropriate time. Muchas gracias.
John
From: Jose Alf. [mailto:josealf@rocketmail.com] Sent: Friday, January 20, 2012 10:56 PM To: John A. Wallace; stunnel-users@stunnel.org Subject: Re: [stunnel-users] certificate authentications
John,
I guess what you want to do is to verify the server certificate. Please try this:
1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it servercert.pem.
2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command
openssl x509 -hash -noout -in servercert.pem
Note the command output. That's yourhash. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with.
3. Rename your certfile as yourhash.0, that is the output of the openssl x509 followed by .0
4. Set verify=4 in your stunnel.conf file.
5. Restart stunnel.
If that works, feel free to send me an Amazon Kindle :), Otherwise let me know.
Best Regards,
Jose
From: John A. Wallace jw72253@verizon.net To: stunnel-users@stunnel.org Sent: Friday, January 20, 2012 1:51 PM Subject: Re: [stunnel-users] certificate authentications
Hello. I want to repost this because I have heard nothing in response although it was posted a few days ago. I am new to using this group and not certain how long I should expect to wait. Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too. Thanks.
John
From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of John A. Wallace Sent: Tuesday, January 17, 2012 3:03 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] certificate authentications Importance: High
I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:
stunnel 4.50 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011
It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.
In my stunnel log for the connection, I get this message:
Client-mode smtp protocol negotiations started
Client-mode smtp protocol negotiations succeeded
No peer certificate received
SSL connected: new session negotiated
Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt:
openssl s_client -starttls smtp -connect host.server:port
The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?
If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Jose,
Thanks, again; and thanks for the offer, but I believe I have the most recent binary of Stunnel: “stunnel 4.50 on x86-pc-mingw32-gnu platform”. It looks like there is now a gcc 4.4.6 available too. Take care. :-)
John
From: josealf@rocketmail.com [mailto:josealf@rocketmail.com] Sent: Saturday, January 21, 2012 11:30 AM To: John A. Wallace; stunnel-users@stunnel.org Subject: Re: [stunnel-users] certificate authentications
John,
Glad it worked. Yes, the option to save peer certificates in recent stunnel versions works. I though about mentioning it, but I left that out, as I wasn't sure you were on Windows. In any case, you need to rename the certificate file.
BTW, I can supply you binaries of stunnel and the corresponding openssl toolkit (.exe and .dlls) compiled with gcc 4.4.4 with no trojan code :)
Regards,
Jose
_____
From: "John A. Wallace" jw72253@verizon.net
Date: Sat, 21 Jan 2012 10:55:31 -0600
To: 'Jose Alf.'josealf@rocketmail.com; stunnel-users@stunnel.org
Subject: RE: [stunnel-users] certificate authentications
Jose,
Outstanding reply! This was even better than I hoped for. Your cautionary advice about the correct OpenSSL version was especially helpful to the effective outcome, as sure enough the OpenSSL that I have installed currently is the newest release but the most current Windows binary of Stunnel has one that is older, and the difference in them corresponds exactly to that which you noted, namely, as .9x and 1.0x hash changes. I will be sure to use the same OpenSSL that came alone with Stunnel instead of the standalone version.
I do have one question now related to the retrieval of certs in Stunnel. It looks like there is a context menu with a right-click option to import a certificate, using the tray icon. I was wondering how that would work as compared to the manual method you described? When I look at the option it appears to be grayed out, but it may be that I have not selected it at the appropriate time. Muchas gracias.
John
From: Jose Alf. [mailto:josealf@rocketmail.com] Sent: Friday, January 20, 2012 10:56 PM To: John A. Wallace; stunnel-users@stunnel.org Subject: Re: [stunnel-users] certificate authentications
John,
I guess what you want to do is to verify the server certificate. Please try this:
1. Save the server certificate to your capath directory (capath=xxx in stunnel.conf). Let's call it servercert.pem.
2. Actually, for the certificate to be useful, it should be saved with a special name (a hash). To find out that name, run the command
openssl x509 -hash -noout -in servercert.pem
Note the command output. That's yourhash. Off course, you will need binaries of OpenSSL. Keep in mind that the hash change between 0.9.x and 1.0.x. So, you need to make sure you use the same version of OpenSSL your stunnel runs with.
3. Rename your certfile as yourhash.0, that is the output of the openssl x509 followed by .0
4. Set verify=4 in your stunnel.conf file.
5. Restart stunnel.
If that works, feel free to send me an Amazon Kindle :), Otherwise let me know.
Best Regards,
Jose
From: John A. Wallace jw72253@verizon.net To: stunnel-users@stunnel.org Sent: Friday, January 20, 2012 1:51 PM Subject: Re: [stunnel-users] certificate authentications
Hello. I want to repost this because I have heard nothing in response although it was posted a few days ago. I am new to using this group and not certain how long I should expect to wait. Excuse the reposting if I should seem impatient, as I do not mean it in that way. But I do want to be sure that I am posting it correctly too. Thanks.
John
From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of John A. Wallace Sent: Tuesday, January 17, 2012 3:03 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] certificate authentications Importance: High
I have two questions, which I think may be related, regarding how to use the information from stunnel log. I use stunnel to connect to an SMTP server on the internet from my home network, and in particular from my Windows laptop. My stunnel version is this:
stunnel 4.50 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011
It works well for my purposes, and I can see, by using a program for monitoring process and network connections, that the connections are now secured as expected. However, I believe it can be made more secure if I can utilize the certificate that is offered by the server, but I am not sure how to make that happen.
In my stunnel log for the connection, I get this message:
Client-mode smtp protocol negotiations started
Client-mode smtp protocol negotiations succeeded
No peer certificate received
SSL connected: new session negotiated
Negotiated ciphers: ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
My first question is, how should I go about getting that “No peer certificate received” issue corrected and how do I install it? Secondly, when I issue this command at the cmd shell prompt:
openssl s_client -starttls smtp -connect host.server:port
The output is lengthy and it includes, among other things, clearly what is identified as a certificate. I have been told that this is a good certificate, and one that I should utilize for an authenticated connection. So, my question is, is this the same certificate that I saw referenced in the log as the “peer certificate”, and how do I go about putting this certificate where it belongs in my directory? I know how to copy it and save it as a file, but where do I put it and should it have a special name?
If someone wants to direct me to the correct instruction for doing this, that would be fine too. I am just looking for some pointers for assistance. Thanks.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
John A. Wallace -
Jose Alf. -
josealf@rocketmail.com