[stunnel-users] Version 4.26 and using to secure IMAPS & POP3

Algol Tradent tradent at yahoo.com
Mon Oct 20 06:17:29 CEST 2008 

Hello,

I think your problem is on your config file for the server. On your config file you have the following option

# Authentication stuff
verify = 3

You probably don't want this option set. Because you are asking the client and the server to authenticate each other based on certificates... which I don;t think is the case here.

On your log file there is this line which is a good indicator of your problem.

routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

I hope this helps

--- On Sun, 10/19/08, Editor (Kevin) <editor at cellmail.com> wrote:
From: Editor (Kevin) <editor at cellmail.com>
Subject: [stunnel-users] Version 4.26 and using to secure IMAPS & POP3
To: stunnel-users at mirt.net
Date: Sunday, October 19, 2008, 8:21 AM

Hi:

I upgraded to the current 4.26 as I was having an issue with 4.15. The idea is 
to secure IMAP traffic as well as inbound SMTP. The email client is the latest 
Thunderbird and seems to be very stable. The mail Host is a Sun E-250 with 
current patches for Solaris 9.

Note: I am using a public certificate and as it from "godaddy.com",
it is this 
unusual two part certificate. This may be where the problem is as I had to 
combine the two public certificate files together (maybe the next version of 
STUNNEL could do this automatically so the risk of errors is reduced!).

However, using STUNNEL, I am having an issue connecting as I get a strange
error 
message and the connection dies.

Error Log:

2008.10.19 13:10:41 LOG7[2104:1]: imaps accepted FD=0 from 80.38.96.194:4129
2008.10.19 13:10:41 LOG7[2104:3]: imaps started
2008.10.19 13:10:41 LOG7[2104:3]: FD 0 in non-blocking mode
2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:41 LOG7[2104:3]: TCP_NODELAY option set on local socket
2008.10.19 13:10:41 LOG7[2104:3]: Waiting for a libwrap process
2008.10.19 13:10:41 LOG7[2104:3]: Acquired libwrap process #0
2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:41 LOG7[2104:3]: Releasing libwrap process #0
2008.10.19 13:10:41 LOG7[2104:3]: Released libwrap process #0
2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:41 LOG7[2104:3]: imaps permitted by libwrap from
80.38.96.194:4129
2008.10.19 13:10:41 LOG5[2104:3]: imaps accepted connection from
80.38.96.194:4129
2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): before/accept
initialization
2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 read client hello A
2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write server hello
A
2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate A
2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate 
request A
2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 flush data
2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (read): warning: no certificate
2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (write): fatal: handshake failure
2008.10.19 13:10:42 LOG3[2104:3]: SSL_accept: 140890C7: error:140890C7:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:42 LOG5[2104:3]: Connection reset: 0 bytes sent to SSL, 0
bytes 
sent to socket
2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe
2008.10.19 13:10:42 LOG7[2104:3]: imaps finished (0 left)

See the weird no client peer handshake????

The configuration file:

# more /usr/local/etc/stunnel/stunnel.conf

# stunnel configuration file
# Use to provide ssl protection for https, pop3 and imap
#
# Setting up the root jail
chroot = /usr/local/var/stunnel
#
# The PID is created inside chroot jail
pid = /stunnel.pid
setuid = nobody
setgid = nogroup

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nogroup

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

# Authentication stuff
verify = 3

# Certicates to use
#
cert = /usr/local/etc/stunnel/stunnel.pem
CAfile = /usr/local/etc/stunnel/_.cellmail.com.crt
# SSLCertificateChainFile = /usr/local/etc/stunnel/gd_intermediate_bundle.crt

# Some debugging stuff
debug = 7
output = /var/log/stunnel.log

# Use it for client mode
#client = yes

# Service-level configuration

[pop3s]
accept  = 199.4.110.39:995
connect = 110

[imaps]
accept  = 199.4.110.39:993
connect = 143

[ssmtp]
accept  = 199.4.110.39:465
connect = frog.cellmail.com:25

# TIMEOUTclose = 0

The startup log:

2008.10.19 13:02:50 LOG7[2077:1]: Snagged 64 random bytes from 
/export/home/kgreene/.rnd
2008.10.19 13:02:50 LOG7[2077:1]: Wrote 1024 new random bytes to 
/export/home/kgreene/.rnd
2008.10.19 13:02:50 LOG7[2077:1]: RAND_status claims sufficient entropy for the
PRNG
2008.10.19 13:02:50 LOG7[2077:1]: PRNG seeded successfully
2008.10.19 13:02:50 LOG7[2077:1]: Certificate:
/usr/local/etc/stunnel/stunnel.pem
2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded
2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem
2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded
2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from 
/usr/local/etc/stunnel/_.cellmail.com.crt
2008.10.19 13:02:50 LOG7[2077:1]: Loaded 
/usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file
2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service pop3s
2008.10.19 13:02:50 LOG7[2077:1]: Certificate:
/usr/local/etc/stunnel/stunnel.pem
2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded
2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem
2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded
2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from 
/usr/local/etc/stunnel/_.cellmail.com.crt
2008.10.19 13:02:50 LOG7[2077:1]: Loaded 
/usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file
2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service imaps
2008.10.19 13:02:50 LOG7[2077:1]: Certificate:
/usr/local/etc/stunnel/stunnel.pem
2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded
2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem
2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded
2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from 
/usr/local/etc/stunnel/_.cellmail.com.crt
2008.10.19 13:02:50 LOG7[2077:1]: Loaded 
/usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file
2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service ssmtp
2008.10.19 13:02:50 LOG5[2077:1]: stunnel 4.26 on sparc-sun-solaris2.9 with 
OpenSSL 0.9.8h 28 May 2008
2008.10.19 13:02:50 LOG5[2077:1]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv6 
Auth:LIBWRAP
2008.10.19 13:02:50 LOG6[2077:1]: file ulimit = 256 (can be changed with
'ulimit 
-n')
2008.10.19 13:02:50 LOG6[2077:1]: poll() used - no FD_SETSIZE limit for file 
descriptors
2008.10.19 13:02:50 LOG5[2077:1]: 125 clients allowed
2008.10.19 13:02:50 LOG7[2077:1]: FD 11 in non-blocking mode
2008.10.19 13:02:50 LOG7[2077:1]: FD 12 in non-blocking mode
2008.10.19 13:02:50 LOG7[2077:1]: FD 13 in non-blocking mode
2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket
2008.10.19 13:02:50 LOG7[2077:1]: pop3s bound to 199.4.110.39:995
2008.10.19 13:02:50 LOG7[2077:1]: FD 14 in non-blocking mode
2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket
2008.10.19 13:02:50 LOG7[2077:1]: imaps bound to 199.4.110.39:993
2008.10.19 13:02:50 LOG7[2077:1]: FD 15 in non-blocking mode
2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket
2008.10.19 13:02:50 LOG7[2077:1]: ssmtp bound to 199.4.110.39:465
2008.10.19 13:02:50 LOG7[2083:1]: Created pid file /stunnel.pid
2008.10.19 13:02:50 LOG7[2083:1]: Cleaning up the signal pipe



_______________________________________________
stunnel-users mailing list
stunnel-users at mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the stunnel-users mailing list