Stunnel and Communicator 4.5

Tue, 20 Apr 1999 18:26:19 -0700 

Hey there!

        I've been working on setting up a certificate authenticated IMAP server
here over the past week, and I've been stymied.  I have openssl-0.9.2b
compiled with rsaref on a FreeBSD box, which I'm using as my CA.  I have
stunnel 3.0 and openssl-0.9.2b compiled on a Sun box running Solaris
2.6.  I have been creating certificates on the CA machine and copying
them over to the Sun which runs stunnel and forwards the connections on
993 to the imapd.  The problem is:  I can connect to stunnel just fine
with the openssl and the stunnel utilities in client mode, but whenever
I try to connect using Communicator, it gives me the following error on
the server, and communicator says that it was unable to connect:

LOG5[2851:26]: /usr/local/sbin/imapd.uw connected from 206.189.75.101:1121
LOG7[11190:1]: Child created
LOG3[2851:26]: SSL_accept: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
LOG7[2851:26]: /usr/local/sbin/imapd.uw finished (0 left)

        The wierd thing is that it works just fine with the client modes of the
other things...  Does anybody know why this is the case?  I'm running
the stunnel server by hand right now with the following options:

stunnel -p /usr/local/ssl/certs/stunnel.pem -d imap:993 -v 1 -f -D 7 -l
/usr/local/sbin/imapd.uw -a /usr/local/ssl/certs/

        And as an example, the openssl client works just fine with the
following options:

/usr/local/ssl/bin/openssl s_client -connect imap:imaps -ssl3 (and tls1
and ssl2)

        I hope this isn't a FAQ...  I couldn't find anything that really fit
this except for one message that talked about nsCertType on the CA,
which I have set in the openssl.cnf file to:

nsCertType = client, email, objsign

        I probably don't need the objsign, but I just put it in there out of
desparation at one point and haven't taken it out.  The common name of
the certificate being used is set to imap.sendmail.com, a cname of the
actual server name, though I've generated certificates with it's real A
record and had it do the same thing.  Anybody have any thoughts on what
this might be, or any thought of other info that I might be able to look
at which might shed some light upon this?  Any help would certainly be
appreciated...  Thanks, and have fun!

                -tspencer
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to