Henri,

> I want to restrict access to some inetd services (ie
telnet/pop/imap) on
> one of my servers to some users over the Net.

Sounds like you would need a dedicated server or virtual directory.

> s_server continue connection even when client doesn't provide
> a certificate (good)

Why would you let the clients that do not provide a cert 
continue access?!?

> I used SSLeay tool CA.sh to build a private CA.

This will give you a CA public certificate.
 
> But got in server messages: 
> 
> "unable to get local issuer certificate"

Have you put the CA certificate into s_server's directory?
 
> Worse, it accept all connection when the client provide
> a cert even when it is not in the certificates directory. (bad).

Have you configured s_server to require the client certificate?

usage: s_server [args ...]

 -accept arg   - port to accept on (default is 4433)
 -verify arg   - turn on peer certificate verification
>>>> -Verify arg   - turn on peer certificate verification, must have
a cert. <<<<<
 -cert arg     - certificate file to use, PEM format assumed
                 (default is server.pem)
 -key arg      - RSA file to use, PEM format assumed, in cert file if
                 not specified (default is server.pem)
 -nbio         - Run with non-blocking IO
 -nbio_test    - test with the non-blocking test bio
 -debug        - Print more output
 -state        - Print the SSL states
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -nocert       - Don't use any certificates (Anon-DH)
 -cipher arg   - play with 'ssleay ciphers' to see what goes here
 -quiet        - No server output
 -no_tmp_rsa   - Do not generate a tmp RSA key
 -ssl2         - Just talk SSLv2
 -ssl3         - Just talk SSLv3
 -tls1         - Just talk TLSv1
 -no_ssl2      - Just disable SSLv2
 -no_ssl3      - Just disable SSLv3
 -no_tls1      - Just disable TLSv1
 -bugs         - Turn on SSL bug compatability
 -www          - Respond to a 'GET /' with a status page
 -WWW          - Returns requested page from to a 'GET <path> HTTP/1.0'

All the best,

Ulrich

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to