Hi:
I upgraded to the current 4.26 as I was having an issue with 4.15. The idea is to secure IMAP traffic as well as inbound SMTP. The email client is the latest Thunderbird and seems to be very stable. The mail Host is a Sun E-250 with current patches for Solaris 9.
Note: I am using a public certificate and as it from "godaddy.com", it is this unusual two part certificate. This may be where the problem is as I had to combine the two public certificate files together (maybe the next version of STUNNEL could do this automatically so the risk of errors is reduced!).
However, using STUNNEL, I am having an issue connecting as I get a strange error message and the connection dies.
Error Log:
2008.10.19 13:10:41 LOG7[2104:1]: imaps accepted FD=0 from 80.38.96.194:4129 2008.10.19 13:10:41 LOG7[2104:3]: imaps started 2008.10.19 13:10:41 LOG7[2104:3]: FD 0 in non-blocking mode 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: TCP_NODELAY option set on local socket 2008.10.19 13:10:41 LOG7[2104:3]: Waiting for a libwrap process 2008.10.19 13:10:41 LOG7[2104:3]: Acquired libwrap process #0 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: Releasing libwrap process #0 2008.10.19 13:10:41 LOG7[2104:3]: Released libwrap process #0 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: imaps permitted by libwrap from 80.38.96.194:4129 2008.10.19 13:10:41 LOG5[2104:3]: imaps accepted connection from 80.38.96.194:4129 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): before/accept initialization 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 read client hello A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write server hello A 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate request A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 flush data 2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (read): warning: no certificate 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (write): fatal: handshake failure 2008.10.19 13:10:42 LOG3[2104:3]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG5[2104:3]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG7[2104:3]: imaps finished (0 left)
See the weird no client peer handshake????
The configuration file:
# more /usr/local/etc/stunnel/stunnel.conf
# stunnel configuration file # Use to provide ssl protection for https, pop3 and imap # # Setting up the root jail chroot = /usr/local/var/stunnel # # The PID is created inside chroot jail pid = /stunnel.pid setuid = nobody setgid = nogroup
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
# Authentication stuff verify = 3
# Certicates to use # cert = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/_.cellmail.com.crt # SSLCertificateChainFile = /usr/local/etc/stunnel/gd_intermediate_bundle.crt
# Some debugging stuff debug = 7 output = /var/log/stunnel.log
# Use it for client mode #client = yes
# Service-level configuration
[pop3s] accept = 199.4.110.39:995 connect = 110
[imaps] accept = 199.4.110.39:993 connect = 143
[ssmtp] accept = 199.4.110.39:465 connect = frog.cellmail.com:25
# TIMEOUTclose = 0
The startup log:
2008.10.19 13:02:50 LOG7[2077:1]: Snagged 64 random bytes from /export/home/kgreene/.rnd 2008.10.19 13:02:50 LOG7[2077:1]: Wrote 1024 new random bytes to /export/home/kgreene/.rnd 2008.10.19 13:02:50 LOG7[2077:1]: RAND_status claims sufficient entropy for the PRNG 2008.10.19 13:02:50 LOG7[2077:1]: PRNG seeded successfully 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service pop3s 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service imaps 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service ssmtp 2008.10.19 13:02:50 LOG5[2077:1]: stunnel 4.26 on sparc-sun-solaris2.9 with OpenSSL 0.9.8h 28 May 2008 2008.10.19 13:02:50 LOG5[2077:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.10.19 13:02:50 LOG6[2077:1]: file ulimit = 256 (can be changed with 'ulimit -n') 2008.10.19 13:02:50 LOG6[2077:1]: poll() used - no FD_SETSIZE limit for file descriptors 2008.10.19 13:02:50 LOG5[2077:1]: 125 clients allowed 2008.10.19 13:02:50 LOG7[2077:1]: FD 11 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: FD 12 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: FD 13 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: pop3s bound to 199.4.110.39:995 2008.10.19 13:02:50 LOG7[2077:1]: FD 14 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: imaps bound to 199.4.110.39:993 2008.10.19 13:02:50 LOG7[2077:1]: FD 15 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: ssmtp bound to 199.4.110.39:465 2008.10.19 13:02:50 LOG7[2083:1]: Created pid file /stunnel.pid 2008.10.19 13:02:50 LOG7[2083:1]: Cleaning up the signal pipe
Hello,
I think your problem is on your config file for the server. On your config file you have the following option
# Authentication stuff verify = 3
You probably don't want this option set. Because you are asking the client and the server to authenticate each other based on certificates... which I don;t think is the case here.
On your log file there is this line which is a good indicator of your problem.
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
I hope this helps
--- On Sun, 10/19/08, Editor (Kevin) editor@cellmail.com wrote: From: Editor (Kevin) editor@cellmail.com Subject: [stunnel-users] Version 4.26 and using to secure IMAPS & POP3 To: stunnel-users@mirt.net Date: Sunday, October 19, 2008, 8:21 AM
Hi:
I upgraded to the current 4.26 as I was having an issue with 4.15. The idea is to secure IMAP traffic as well as inbound SMTP. The email client is the latest Thunderbird and seems to be very stable. The mail Host is a Sun E-250 with current patches for Solaris 9.
Note: I am using a public certificate and as it from "godaddy.com", it is this unusual two part certificate. This may be where the problem is as I had to combine the two public certificate files together (maybe the next version of STUNNEL could do this automatically so the risk of errors is reduced!).
However, using STUNNEL, I am having an issue connecting as I get a strange error message and the connection dies.
Error Log:
2008.10.19 13:10:41 LOG7[2104:1]: imaps accepted FD=0 from 80.38.96.194:4129 2008.10.19 13:10:41 LOG7[2104:3]: imaps started 2008.10.19 13:10:41 LOG7[2104:3]: FD 0 in non-blocking mode 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: TCP_NODELAY option set on local socket 2008.10.19 13:10:41 LOG7[2104:3]: Waiting for a libwrap process 2008.10.19 13:10:41 LOG7[2104:3]: Acquired libwrap process #0 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: Releasing libwrap process #0 2008.10.19 13:10:41 LOG7[2104:3]: Released libwrap process #0 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: imaps permitted by libwrap from 80.38.96.194:4129 2008.10.19 13:10:41 LOG5[2104:3]: imaps accepted connection from 80.38.96.194:4129 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): before/accept initialization 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 read client hello A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write server hello A 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate request A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 flush data 2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (read): warning: no certificate 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (write): fatal: handshake failure 2008.10.19 13:10:42 LOG3[2104:3]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG5[2104:3]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG7[2104:3]: imaps finished (0 left)
See the weird no client peer handshake????
The configuration file:
# more /usr/local/etc/stunnel/stunnel.conf
# stunnel configuration file # Use to provide ssl protection for https, pop3 and imap # # Setting up the root jail chroot = /usr/local/var/stunnel # # The PID is created inside chroot jail pid = /stunnel.pid setuid = nobody setgid = nogroup
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
# Authentication stuff verify = 3
# Certicates to use # cert = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/_.cellmail.com.crt # SSLCertificateChainFile = /usr/local/etc/stunnel/gd_intermediate_bundle.crt
# Some debugging stuff debug = 7 output = /var/log/stunnel.log
# Use it for client mode #client = yes
# Service-level configuration
[pop3s] accept = 199.4.110.39:995 connect = 110
[imaps] accept = 199.4.110.39:993 connect = 143
[ssmtp] accept = 199.4.110.39:465 connect = frog.cellmail.com:25
# TIMEOUTclose = 0
The startup log:
2008.10.19 13:02:50 LOG7[2077:1]: Snagged 64 random bytes from /export/home/kgreene/.rnd 2008.10.19 13:02:50 LOG7[2077:1]: Wrote 1024 new random bytes to /export/home/kgreene/.rnd 2008.10.19 13:02:50 LOG7[2077:1]: RAND_status claims sufficient entropy for the PRNG 2008.10.19 13:02:50 LOG7[2077:1]: PRNG seeded successfully 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service pop3s 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service imaps 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service ssmtp 2008.10.19 13:02:50 LOG5[2077:1]: stunnel 4.26 on sparc-sun-solaris2.9 with OpenSSL 0.9.8h 28 May 2008 2008.10.19 13:02:50 LOG5[2077:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.10.19 13:02:50 LOG6[2077:1]: file ulimit = 256 (can be changed with 'ulimit -n') 2008.10.19 13:02:50 LOG6[2077:1]: poll() used - no FD_SETSIZE limit for file descriptors 2008.10.19 13:02:50 LOG5[2077:1]: 125 clients allowed 2008.10.19 13:02:50 LOG7[2077:1]: FD 11 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: FD 12 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: FD 13 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: pop3s bound to 199.4.110.39:995 2008.10.19 13:02:50 LOG7[2077:1]: FD 14 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: imaps bound to 199.4.110.39:993 2008.10.19 13:02:50 LOG7[2077:1]: FD 15 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: ssmtp bound to 199.4.110.39:465 2008.10.19 13:02:50 LOG7[2083:1]: Created pid file /stunnel.pid 2008.10.19 13:02:50 LOG7[2083:1]: Cleaning up the signal pipe
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-
Algol Tradent -
Editor (Kevin)