Why do you use stunnel in this way?
Why don't you put it in the inetd configuration file?
Tim Spencer wrote:
>
> Hey there!
>
> I've been working on setting up a certificate authenticated IMAP server
> here over the past week, and I've been stymied. I have openssl-0.9.2b
> compiled with rsaref on a FreeBSD box, which I'm using as my CA. I have
> stunnel 3.0 and openssl-0.9.2b compiled on a Sun box running Solaris
> 2.6. I have been creating certificates on the CA machine and copying
> them over to the Sun which runs stunnel and forwards the connections on
> 993 to the imapd. The problem is: I can connect to stunnel just fine
> with the openssl and the stunnel utilities in client mode, but whenever
> I try to connect using Communicator, it gives me the following error on
> the server, and communicator says that it was unable to connect:
>
> LOG5[2851:26]: /usr/local/sbin/imapd.uw connected from 206.189.75.101:1121
> LOG7[11190:1]: Child created
> LOG3[2851:26]: SSL_accept: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> LOG7[2851:26]: /usr/local/sbin/imapd.uw finished (0 left)
>
> The wierd thing is that it works just fine with the client modes of the
> other things... Does anybody know why this is the case? I'm running
> the stunnel server by hand right now with the following options:
>
> stunnel -p /usr/local/ssl/certs/stunnel.pem -d imap:993 -v 1 -f -D 7 -l
> /usr/local/sbin/imapd.uw -a /usr/local/ssl/certs/
>
> And as an example, the openssl client works just fine with the
> following options:
>
> /usr/local/ssl/bin/openssl s_client -connect imap:imaps -ssl3 (and tls1
> and ssl2)
>
> I hope this isn't a FAQ... I couldn't find anything that really fit
> this except for one message that talked about nsCertType on the CA,
> which I have set in the openssl.cnf file to:
>
> nsCertType = client, email, objsign
>
> I probably don't need the objsign, but I just put it in there out of
> desparation at one point and haven't taken it out. The common name of
> the certificate being used is set to imap.sendmail.com, a cname of the
> actual server name, though I've generated certificates with it's real A
> record and had it do the same thing. Anybody have any thoughts on what
> this might be, or any thought of other info that I might be able to look
> at which might shed some light upon this? Any help would certainly be
> appreciated... Thanks, and have fun!
>
> -tspencer
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
[EMAIL PROTECTED] Dept. Informatica, Fac. Ciencias,
|\ | |\ | Tel: +351 1 7500127 Univ. Lisboa, Bloco C5, Campo Grande
| \|uno | \|eves Fax: +351 1 7500084 1700 Lisboa, Portugal
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
