Hi,
I wonder if you could possibly help me get Stunnel ver. 4.26 working with Yahoo.com email? I have been trying to get it working and can't see what the problem is. I do have it working with Gmail just fine.
My email client is setup with: Email server 127.0.0.1 Email user: 127.0.0.1/11011/MuUserName@yahoo.com Email password: <InsertPassword> Port 9999 My email client is connecting to K9 K9 connects to Stunnel on port 11011
I'm running this in Win '98se I'm following the instructions to use Yahoo POP3 Free at: http://sajeevnairs.blogspot.com/2009/03/pop3-access-in-yahoo-mail-free.html
I think it's saying: SSL alert (read): fatal: bad certificate
How can I get a god certificate for Stunnel to use? How would I set that up in Stunnel?
Conf: cert = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3_DslextremeGmail] accept = 127.0.0.1:11010 connect = pop.gmail.com:995 delay = yes
[pop3_Yahoo] accept = 127.0.0.1:11011 connect = pop.mail.yahoo.com:995 delay = yes
Log: 2009.05.14 15:48:12 LOG7[16278859:16041803]: RAND_status claims sufficient entropy for the PRNG 2009.05.14 15:48:12 LOG7[16278859:16041803]: PRNG seeded successfully 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: Key file: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Private key loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized for service pop3_DslextremeDocfxitGmail 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: Key file: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Private key loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized for service pop3_Docfxit_Yahoo 2009.05.14 15:48:12 LOG5[16278859:16041803]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008 2009.05.14 15:48:12 LOG5[16278859:16041803]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv4 2009.05.14 15:48:12 LOG5[16278859:16039767]: No limit detected for the number of clients 2009.05.14 15:48:12 LOG7[16278859:16039767]: FD 56 in non-blocking mode 2009.05.14 15:48:12 LOG7[16278859:16039767]: SO_REUSEADDR option set on accept socket 2009.05.14 15:48:12 LOG7[16278859:16039767]: pop3_DslextremeDocfxitGmail bound to 127.0.0.1:11010 2009.05.14 15:48:12 LOG7[16278859:16039767]: FD 60 in non-blocking mode 2009.05.14 15:48:12 LOG7[16278859:16039767]: SO_REUSEADDR option set on accept socket 2009.05.14 15:48:12 LOG7[16278859:16039767]: pop3_Docfxit_Yahoo bound to 127.0.0.1:11011 2009.05.14 15:48:30 LOG7[16278859:16039767]: pop3_Docfxit_Yahoo accepted FD=64 from 127.0.0.1:1105 2009.05.14 15:48:30 LOG7[16278859:16039767]: Creating a new thread 2009.05.14 15:48:30 LOG7[16278859:16039767]: New thread created 2009.05.14 15:48:30 LOG7[16278859:16038719]: pop3_Docfxit_Yahoo started 2009.05.14 15:48:30 LOG7[16278859:16038719]: FD 64 in non-blocking mode 2009.05.14 15:48:30 LOG7[16278859:16038719]: TCP_NODELAY option set on local socket 2009.05.14 15:48:30 LOG5[16278859:16038719]: pop3_Docfxit_Yahoo accepted connection from 127.0.0.1:1105 2009.05.14 15:48:30 LOG7[16278859:16038719]: FD 76 in non-blocking mode 2009.05.14 15:48:30 LOG7[16278859:16038719]: pop3_Docfxit_Yahoo connecting 68.142.206.14:995 2009.05.14 15:48:30 LOG7[16278859:16038719]: connect_wait: waiting 10 seconds 2009.05.14 15:48:30 LOG7[16278859:16038719]: connect_wait: connected 2009.05.14 15:48:30 LOG5[16278859:16038719]: pop3_Docfxit_Yahoo connected remote server from 192.168.1.3:1106 2009.05.14 15:48:30 LOG7[16278859:16038719]: Remote FD=76 initialized 2009.05.14 15:48:30 LOG7[16278859:16038719]: TCP_NODELAY option set on remote socket 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): before/connect initialization 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write client hello A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server hello A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server certificate A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server certificate request A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server done A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write client certificate A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write client key exchange A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write certificate verify A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write change cipher spec A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write finished A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 flush data 2009.05.14 15:48:30 LOG3[16278859:16038719]: SSL_connect: Peer suddenly disconnected 2009.05.14 15:48:30 LOG5[16278859:16038719]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2009.05.14 15:48:30 LOG7[16278859:16038719]: pop3_Docfxit_Yahoo finished (0 left)
Thank you for looking at it...
Gary
Gary Kuznitz wrote:
How can I get a god certificate for Stunnel to use? How would I set that up in Stunnel?
You don't really need a certificate for an SSL client. Just disable it. You rather want to setup server certificate verification with "CAfile" and "verify".
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
IMHO it's not a good idea for non-interactive connections, e.g. pop3.
[pop3_DslextremeGmail] accept = 127.0.0.1:11010 connect = pop.gmail.com:995 delay = yes
[pop3_Yahoo] accept = 127.0.0.1:11011 connect = pop.mail.yahoo.com:995 delay = yes
[cut]
2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized for service pop3_Docfxit_Yahoo
I guess you use a different configuration file, as pop3_Docfxit_Yahoo is not defined in the one you sent.
Best regards, Mike
Thank you for the reply...
On 15 May 2009 at 20:55, Michal (Michal Trojnara Michal.Trojnara@mobi-com.net) commented about Re: [stunnel-users] Can't connect to Yahoo POP3:
Gary Kuznitz wrote:
How can I get a god certificate for Stunnel to use? How would I set that up in Stunnel?
You don't really need a certificate for an SSL client. Just disable it.
How can I disable it?
You rather want to setup server certificate verification with "CAfile" and "verify".
I have un-commented: CAfile = certs.pem verify = 2
That gave me an error: 2009.05.15 12:38:13 LOG3[16278859:16279139]: Error loading verify certificates from certs.pem 2009.05.15 12:38:13 LOG3[16278859:16279139]: error stack: B084002 : error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib 2009.05.15 12:38:13 LOG3[16278859:16279139]: error stack: 2006D080 : error:2006D080:BIO routines:BIO_new_file:no such file 2009.05.15 12:38:13 LOG3[16278859:16279139]: SSL_CTX_load_verify_locations: 2001002: error:02001002:system library:fopen:No such file or directory
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
IMHO it's not a good idea for non-interactive connections, e.g. pop3.
I will comment out both of the above.
[pop3_DslextremeGmail] accept = 127.0.0.1:11010 connect = pop.gmail.com:995 delay = yes
[pop3_Yahoo] accept = 127.0.0.1:11011 connect = pop.mail.yahoo.com:995 delay = yes
[cut]
2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized for service pop3_Docfxit_Yahoo
I guess you use a different configuration file, as pop3_Docfxit_Yahoo is not defined in the one you sent.
I'm sorry. I'm really using [pop3_Yahoo]
After I make a change to the conf. file Do I have to re-boot the PC or is it enough to exit out of Stunnel and launch it again?
Thank you,
Gary Kuznitz
Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Gary Kuznitz wrote:
How can I get a god certificate for Stunnel to use? How would I set that up in Stunnel?
You don't really need a certificate for an SSL client. Just disable it.
How can I disable it?
Change: cert = stunnel.pem to: ; cert = stunnel.pem
You rather want to setup server certificate verification with "CAfile" and "verify".
I have un-commented: CAfile = certs.pem verify = 2
You need verify=3.
Do not just uncomment options. Please Read The Fine Manual, first.
That gave me an error: 2009.05.15 12:38:13 LOG3[16278859:16279139]: Error loading verify certificates from certs.pem
Did you download yahoo certificate into certs.pem?
Hint: You can use openssl s_client to download the remote certificate.
Mike
On Fri, 2009-05-15 20:55:12 +0200, Michal Trojnara wrote:
Gary Kuznitz wrote:
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
IMHO it's not a good idea for non-interactive connections, e.g. pop3.
On the contrary, I think Stunnel should disable Nagle by default:
If the Nagle algorithm is enabled, the TCP layer delays sending of small chunks of data for some ms in the expectation of other small chunks to be fed to the socket. The small chunks are then combined and sent in one single IP packet.
This is reasonable for connections that transport larger amounts of data without waiting for an explicit acknowledge from the receiver (on the application level). For e.g. POP3, this allows the application to feed the mail body line-by-line to the TCP socket, without sending silly small 80-byte packets over the wire.
For interactive connections (or even during the protocol handshake of POP3) the Nagle algorithm adds an extra delay to each round-trip. This is why it's up to the application to decide for or against Nagle.
However, the stunnel sockets are not connected to the application. Stunnel just forwards data from one socket to another (besides encrypting, of course). For that, it reads as much data as available from one socket and immediately feeds it to the other one. Provided the original application configured Nagle appropriately, there are no silly small packets on the wire. Thus, the size of the data chunks Stunnel reads and writes are suitable for the protocol already. I don't see a reason for additional delays.
I can imagine one situation where it was reasonable to have Nagle enabled for Stunnel: If the tunnel end point is on the same box as the application, and the TCP layer is clever enough to skip Nagle for 'local' connections, then Stunnel may have Nagle enabled on the socket connected to the 'remote' host.
Disabling Nagle on sockets to localhost should always be a good idea.
Ludolf
P.S. @Gary: Don't worry too much about setting TCP_NODELAY or not. The effect of the Nagle algorithm may be measurable, but I don't expect you to feel a difference while fetching e-mails.
Ludolf Holzheid wrote:
However, the stunnel sockets are not connected to the application. Stunnel just forwards data from one socket to another (besides encrypting, of course). For that, it reads as much data as available from one socket and immediately feeds it to the other one. Provided the original application configured Nagle appropriately, there are no silly small packets on the wire.
Good point. I fully agree that Nagle algorithm should only be enabled on the original source (if needed) and not on a proxy (e.g. stunnel). Thank you very much.
Best regards, Mike
Hi,
We need to support dual stack support for IPv6 and IPv4. We are currently using stunnel v4.25 to encrypt traffic between mod_jk connector and JBoss Application server. So one node in a cluster can be a IPv4 machine and other can have IPv6 address.
We would like to know if stunnel v4.25 supports both IPv4 and IPv6 setup.
Is exclusive support for IPv6 available in stunnel v4.25?
Thanks, Gaurav
Bansal, Gaurav (Gaurav) wrote:
We need to support dual stack support for IPv6 and IPv4. We are currently using stunnel v4.25 to encrypt traffic between mod_jk connector and JBoss Application server. So one node in a cluster can be a IPv4 machine and other can have IPv6 address.
We would like to know if stunnel v4.25 supports both IPv4 and IPv6 setup.
IPv6-enabled stunnel gracefully handles both IPv4 and IPv6 addresses. You can accept connections on IPv4 and IPv6 addresses and your can connect IPv4 and IPv6 addresses without any special precautions.
Is exclusive support for IPv6 available in stunnel v4.25?
I'm not sure I understand what you mean by "exclusive support for IPv6"... If you only accept connections on an IPv6 address I guess you could say you "exclusively" support it.
Mike
Thanks for the response. I got answer to my queries.
When you say "IPv6-enabled stunnel", do you mean that we need to provide parameter "IPV6=on", during compile time. Is there any other parameter that we need to provide?
Is the support for IPv6 not turned on by default?
Is there any other configuration required for OpenSSL?
Thanks, Gaurav
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Michal Trojnara Sent: Monday, May 18, 2009 1:36 PM To: stunnel-users@mirt.net Subject: Re: [stunnel-users] Stunnel v4.25 support for IPv6
Bansal, Gaurav (Gaurav) wrote:
We need to support dual stack support for IPv6 and IPv4. We are currently using stunnel v4.25 to encrypt traffic between mod_jk connector and JBoss Application server. So one node in a cluster can
be
a IPv4 machine and other can have IPv6 address.
We would like to know if stunnel v4.25 supports both IPv4 and IPv6 setup.
IPv6-enabled stunnel gracefully handles both IPv4 and IPv6 addresses. You can accept connections on IPv4 and IPv6 addresses and your can connect IPv4 and IPv6 addresses without any special precautions.
Is exclusive support for IPv6 available in stunnel v4.25?
I'm not sure I understand what you mean by "exclusive support for IPv6"... If you only accept connections on an IPv6 address I guess you could say you "exclusively" support it.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Bansal, Gaurav (Gaurav) -
Gary Kuznitz -
Ludolf Holzheid -
Michal Trojnara