Henri,
> I want to restrict access to some inetd services (ie
telnet/pop/imap) on
> one of my servers to some users over the Net.
Sounds like you would need a dedicated server or virtual directory.
> s_server continue connection even when client doesn't provide
> a certificate (good)
Why would you let the clients that do not provide a cert
continue access?!?
> I used SSLeay tool CA.sh to build a private CA.
This will give you a CA public certificate.
> But got in server messages:
>
> "unable to get local issuer certificate"
Have you put the CA certificate into s_server's directory?
> Worse, it accept all connection when the client provide
> a cert even when it is not in the certificates directory. (bad).
Have you configured s_server to require the client certificate?
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-verify arg - turn on peer certificate verification
>>>> -Verify arg - turn on peer certificate verification, must have
a cert. <<<<<
-cert arg - certificate file to use, PEM format assumed
(default is server.pem)
-key arg - RSA file to use, PEM format assumed, in cert file if
not specified (default is server.pem)
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
-debug - Print more output
-state - Print the SSL states
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-nocert - Don't use any certificates (Anon-DH)
-cipher arg - play with 'ssleay ciphers' to see what goes here
-quiet - No server output
-no_tmp_rsa - Do not generate a tmp RSA key
-ssl2 - Just talk SSLv2
-ssl3 - Just talk SSLv3
-tls1 - Just talk TLSv1
-no_ssl2 - Just disable SSLv2
-no_ssl3 - Just disable SSLv3
-no_tls1 - Just disable TLSv1
-bugs - Turn on SSL bug compatability
-www - Respond to a 'GET /' with a status page
-WWW - Returns requested page from to a 'GET <path> HTTP/1.0'
All the best,
Ulrich
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]