[stunnel-users] IMAP TLS support in stunnel 4?

George Hartzell hartzell at kestrel.alerce.com
Wed Oct 12 02:10:49 CEST 2005 

Scott Gifford writes:
 > [...]
 > The patches should be fairly easy to update to version 4, or you could
 > just use version 3.  If you forward-port the patches to version 4, let
 > me know and I'll add a link to my Web page.

I've decided to see if I could add IMAP STARTTLS support to version 4,
based on Scott's patch to 3.22.

I've disentangled what I think are the STARTTLS specific pieces and
recast them in the version 4 idiom.  I'm playing with pop3 since I can
have openssl's s_client negotiate the STARTTLS part for me.  I have it
working in pass-through mode (just proxying a non-ssl conversation),
but can't get the STARTTLS part going.

Using "openssl s_client -connect demo:pop3s" to hit an stunnel process
that's expecting an ssl connect (e.g. the default behaviour) works
fine.

Telnet-ing to demo, port pop3 (which hits stunnel listening in 'pop3-"
mode) then running through a simple "USER, PASS, RETR" session works
fine.

If I do "openssl s_client -connect demo:pop3 -starttls pop3" I get:
   13845:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:

and if I add -debug, I get:

   (demo)[4:15pm]stunnel>>openssl s_client -connect demo:pop3 -starttls pop3 -debug
   CONNECTED(00000003)
   read from 08094700 [080A7000] (8192 bytes => 99 (0x63))
   0000 - 2b 4f 4b 20 44 42 4d 41-49 4c 20 70 6f 70 33 20   +OK DBMAIL pop3 
   0010 - 73 65 72 76 65 72 20 72-65 61 64 79 20 74 6f 20   server ready to 
   0020 - 72 6f 63 6b 20 3c 31 63-64 35 61 66 37 31 34 37   rock <1cd5af7147
   0030 - 65 31 39 31 31 38 37 33-37 64 61 62 62 39 33 65   e19118737dabb93e
   0040 - 36 61 38 35 30 61 40 64-65 6d 6f 2e 61 6c 65 72   6a850a at demo.aler
   0050 - 63 65 2e 63 6f 6d 3e 20-2b 20 73 74 75 6e 6e 65   ce.com> + stunne
   0060 - 6c 0d 0a                                          l..
   write to 08094700 [BFBFDC70] (6 bytes => 6 (0x6))
   0000 - 53 54 4c 53 0d 0a                                 STLS..
   read from 08094700 [080A5000] (8192 bytes => 36 (0x24))
   0000 - 2b 4f 4b 20 73 74 75 6e-6e 65 6c 20 73 74 61 72   +OK stunnel star
   0010 - 74 69 6e 67 20 54 4c 53-20 6e 65 67 6f 74 69 61   ting TLS negotia
   0020 - 74 69 6f 6e                                       tion
   write to 08094700 [080AC000] (142 bytes => 142 (0x8E))
   0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ......c... ..9..
   0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
   0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.....f.
   0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   .............c..
   0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...........@
   0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`.......
   0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 3c fc   ..............<.
   0070 - 7a 39 c2 3a 4f 59 06 ae-aa ce f8 1c 23 b2 2c 04   z9.:OY......#.,.
   0080 - 5b f4 33 a7 56 81 9a f0-88 b4 13 7b 3b 11         [.3.V......{;.
   read from 08094700 [080B2000] (7 bytes => 2 (0x2))
   0000 - 0d 0a                                             ..
   read from 08094700 [080B2002] (5 bytes => 5 (0x5))
   0000 - 16 03 01 00 4a                                    ....J
   13876:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:
   
I'd love any suggestions for places to look next!

Thanks,

g.

More information about the stunnel-users mailing list