Hi, I'm wondering if anyone can shed any light on a problem I'm having with Outlook Express? Apologies for posting a load of debug output to the list, but I didn't really know what was safe to omit. I'm trying to setup secure IMAP, using stunnel (stage 2 is to go for secure SMTP as well, with postfix/TLS). I've created my own CA, signed a client certificate and a server certificate. I've imported the CA, and client certificate (via 'openssl pkcs12') into IE. If I use IE to go to https://mail.brain:993/, it will successfully connect (prompting me to select the client certificate), and I can sniff network traffic on the redirected connection (of course, imapd doesn't speak http very clearly, but there is definitely some plain-text confusion going on ;-). I'm running stunnel like this: stunnel -v 2 -D 7 -f -A /home/tim/CAs_file_for_stunnel.pem -p /home/tim/server_cert3_pub_priv.pem -d simap -r imap2 simap i.e. redirect to local imap port, listen on simap port (993), and insist on client certificate authentication. In Outlook 2000, and Outlook Express 5 (under Win98, with all Windows Updates, and Office 2000 updates applied), it will refuse to connect. The Outlook Express "diagnostics" say: "Configuration: Account: mail.brain Server: mail.brain User name: tim Protocol: IMAP Port: 993 Secure(SSL): 1 Code: 800ccc1a " And Stunnel says: LOG7[1806:92162]: simap started LOG5[1806:92162]: simap connected from 10.0.0.168:1366 LOG7[1806:92162]: simap connecting 127.0.0.1:143 LOG7[1806:92162]: Remote host connected LOG7[1806:92162]: before/accept initialization LOG7[1806:92162]: before/accept initialization LOG7[1806:92162]: SSLv2/v3 read client hello A LOG3[1806:92162]: SSL_accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol LOG7[1806:92162]: simap finished (0 left) LOG7[1807:93186]: simap started LOG5[1807:93186]: simap connected from 10.0.0.168:1367 LOG7[1807:93186]: simap connecting 127.0.0.1:143 LOG7[1807:93186]: Remote host connected LOG7[1807:93186]: before/accept initialization LOG7[1807:93186]: before/accept initialization LOG7[1807:93186]: SSLv3 read client hello A LOG7[1807:93186]: SSLv3 write server hello A LOG7[1807:93186]: SSLv3 write certificate A LOG7[1807:93186]: SSLv3 write certificate request A LOG7[1807:93186]: SSLv3 flush data LOG7[1807:93186]: SSLv3 read client certificate A LOG7[1807:93186]: SSLv3 read client certificate B LOG7[1807:93186]: SSLv3 read client certificate B LOG7[1807:93186]: SSLv3 read client certificate B LOG3[1807:93186]: SSL_accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate LOG7[1807:93186]: simap finished (0 left) If I run Netscape Communicator 4.75 on the same Windows box, everything is fine: LOG7[2366:1026]: simap started LOG5[2366:1026]: simap connected from 10.0.0.168:1596 LOG7[2366:1026]: simap connecting 127.0.0.1:143 LOG7[2366:1026]: Remote host connected LOG7[2366:1026]: before/accept initialization LOG7[2366:1026]: before/accept initialization LOG7[2366:1026]: SSLv3 read client hello A LOG7[2366:1026]: SSLv3 write server hello A LOG7[2366:1026]: SSLv3 write certificate A LOG7[2366:1026]: SSLv3 write certificate request A LOG7[2366:1026]: SSLv3 flush data LOG5[2366:1026]: VERIFY OK: depth=1: /C=UK/ST=East Sussex/L=Brighton/O=Digitalbrain.com Ltd./OU=Internet Systems/CN=Digitalbrain Certificate Authority (Intranet)[EMAIL PROTECTED] LOG5[2366:1026]: VERIFY OK: depth=0: /C=UK/ST=East Sussex/L=Brighton/O=Digitalbrain.com Ltd./OU=Internet [EMAIL PROTECTED] LOG7[2366:1026]: SSLv3 read client certificate A LOG7[2366:1026]: SSLv3 read client key exchange A LOG7[2366:1026]: SSLv3 read certificate verify A LOG7[2366:1026]: SSLv3 read finished A LOG7[2366:1026]: SSLv3 write change cipher spec A LOG7[2366:1026]: SSLv3 write finished A LOG7[2366:1026]: SSLv3 flush data LOG7[2366:1026]: SSL negotiation finished successfully LOG7[2366:1026]: 1 items in the session cache LOG7[2366:1026]: 0 client connects (SSL_connect()) LOG7[2366:1026]: 0 client connects that finished LOG7[2366:1026]: 0 client renegotiatations requested LOG7[2366:1026]: 1 server connects (SSL_accept()) LOG7[2366:1026]: 1 server connects that finished LOG7[2366:1026]: 0 server renegotiatiations requested LOG7[2366:1026]: 0 session cache hits LOG7[2366:1026]: 0 session cache misses LOG7[2366:1026]: 0 session cache timeouts LOG7[2366:1026]: SSL negotiation finished successfully LOG6[2366:1026]: simap opened with SSLv3, cipher RC4-MD5 (128 bits) LOG7[2366:1026]: Socket closed on read LOG5[2366:1026]: Connection closed: 74407 bytes sent to SSL, 523 bytes sent to socket LOG7[2366:1026]: simap finished (0 left) Here is what https://mail.brain:993/ does: LOG7[2456:3074]: simap started LOG5[2456:3074]: simap connected from 10.0.0.168:1621 LOG7[2456:3074]: simap connecting 127.0.0.1:143 LOG7[2456:3074]: Remote host connected LOG7[2456:3074]: before/accept initialization LOG7[2456:3074]: before/accept initialization LOG7[2456:3074]: SSLv3 read client hello A LOG7[2456:3074]: SSLv3 write server hello A LOG7[2456:3074]: SSLv3 write certificate A LOG7[2456:3074]: SSLv3 write certificate request A LOG7[2456:3074]: SSLv3 flush data LOG5[2456:3074]: VERIFY OK: depth=1: /C=UK/ST=East Sussex/L=Brighton/O=Digitalbrain.com Ltd./OU=Internet Systems/CN=Digitalbrain Certificate Authority (Intranet)[EMAIL PROTECTED] LOG5[2456:3074]: VERIFY OK: depth=0: /C=UK/ST=East Sussex/L=Brighton/O=Digitalbrain.com Ltd./OU=Internet Systems/CN=Timothy Small Email Test Cert [EMAIL PROTECTED] LOG7[2456:3074]: SSLv3 read client certificate A LOG7[2456:3074]: SSLv3 read client key exchange A LOG7[2456:3074]: SSLv3 read certificate verify A LOG7[2456:3074]: SSLv3 read finished A LOG7[2456:3074]: SSLv3 write change cipher spec A LOG7[2456:3074]: SSLv3 write finished A LOG7[2456:3074]: SSLv3 flush data LOG7[2456:3074]: SSL negotiation finished successfully LOG7[2456:3074]: 2 items in the session cache LOG7[2456:3074]: 0 client connects (SSL_connect()) LOG7[2456:3074]: 0 client connects that finished LOG7[2456:3074]: 0 client renegotiatations requested LOG7[2456:3074]: 3 server connects (SSL_accept()) LOG7[2456:3074]: 2 server connects that finished LOG7[2456:3074]: 0 server renegotiatiations requested LOG7[2456:3074]: 0 session cache hits LOG7[2456:3074]: 0 session cache misses LOG7[2456:3074]: 0 session cache timeouts LOG7[2456:3074]: SSL negotiation finished successfully LOG6[2456:3074]: simap opened with TLSv1, cipher RC4-MD5 (128 bits) LOG7[2456:3074]: SSL closed on read LOG5[2456:3074]: Connection closed: 704 bytes sent to SSL, 250 bytes sent to socket LOG7[2456:3074]: simap finished (0 left) OK, at this point, I decide that something is clearly up with the client certificate - If I run stunnel without '-v 2' (no peer certificate verification), then everything works fine. So, I get one of those free Verisign email certificates, install the relevant Verisign root CA, and intermediate certificate in the stunnel CA file, and try it again. Exactly the same behaviour - IE, stunnel (in client mode), netscape 4.75 are happy - Outlook* won't offer up the client certificate! Here's the output from IE, using the Verisign cert: LOG7[2694:2050]: simap started LOG5[2694:2050]: simap connected from 10.0.0.168:1624 LOG7[2694:2050]: simap connecting 127.0.0.1:143 LOG7[2694:2050]: Remote host connected LOG7[2694:2050]: before/accept initialization LOG7[2694:2050]: before/accept initialization LOG7[2694:2050]: SSLv3 read client hello A LOG7[2694:2050]: SSLv3 write server hello A LOG7[2694:2050]: SSLv3 write certificate A LOG7[2694:2050]: SSLv3 write certificate request A LOG7[2694:2050]: SSLv3 flush data LOG5[2694:2050]: VERIFY OK: depth=2: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority LOG5[2694:2050]: VERIFY OK: depth=1: /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated LOG5[2694:2050]: VERIFY OK: depth=0: /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 - Microsoft/CN=Timothy J [EMAIL PROTECTED] LOG7[2694:2050]: SSLv3 read client certificate A LOG7[2694:2050]: SSLv3 read client key exchange A LOG7[2694:2050]: SSLv3 read certificate verify A LOG7[2694:2050]: SSLv3 read finished A LOG7[2694:2050]: SSLv3 write change cipher spec A LOG7[2694:2050]: SSLv3 write finished A LOG7[2694:2050]: SSLv3 flush data LOG7[2694:2050]: SSL negotiation finished successfully LOG7[2694:2050]: 1 items in the session cache LOG7[2694:2050]: 0 client connects (SSL_connect()) LOG7[2694:2050]: 0 client connects that finished LOG7[2694:2050]: 0 client renegotiatations requested LOG7[2694:2050]: 2 server connects (SSL_accept()) LOG7[2694:2050]: 1 server connects that finished LOG7[2694:2050]: 0 server renegotiatiations requested LOG7[2694:2050]: 0 session cache hits LOG7[2694:2050]: 0 session cache misses LOG7[2694:2050]: 0 session cache timeouts LOG7[2694:2050]: SSL negotiation finished successfully LOG6[2694:2050]: simap opened with TLSv1, cipher RC4-MD5 (128 bits) LOG7[2694:2050]: SSL closed on read LOG5[2694:2050]: Connection closed: 704 bytes sent to SSL, 250 bytes sent to socket LOG7[2694:2050]: simap finished (0 left) Can anyone help before I tear all of my hair out? ;-) I've ended up with the follow non-standard options, but otherwise haven't changed the Defaults from openssl 0.9.6: Server Key: organizationalUnitName_default = Server IMAP nsCertType = server Client Key: nsCertType = client, email Here is the stunnel debug output, with Outlook Express 5, and no client certificate enforcement turned on in stunnel (-v 0): LOG7[2879:2050]: simap started LOG5[2879:2050]: simap connected from 10.0.0.168:1627 LOG7[2879:2050]: simap connecting 127.0.0.1:143 LOG7[2879:2050]: Remote host connected LOG7[2879:2050]: before/accept initialization LOG7[2879:2050]: before/accept initialization LOG7[2879:2050]: SSLv3 read client hello A LOG7[2879:2050]: SSLv3 write server hello A LOG7[2879:2050]: SSLv3 write certificate A LOG7[2879:2050]: SSLv3 write server done A LOG7[2879:2050]: SSLv3 flush data LOG7[2879:2050]: SSLv3 read client key exchange A LOG7[2879:2050]: SSLv3 read finished A LOG7[2879:2050]: SSLv3 write change cipher spec A LOG7[2879:2050]: SSLv3 write finished A LOG7[2879:2050]: SSLv3 flush data LOG7[2879:2050]: SSL negotiation finished successfully LOG7[2879:2050]: 2 items in the session cache LOG7[2879:2050]: 0 client connects (SSL_connect()) LOG7[2879:2050]: 0 client connects that finished LOG7[2879:2050]: 0 client renegotiatations requested LOG7[2879:2050]: 2 server connects (SSL_accept()) LOG7[2879:2050]: 2 server connects that finished LOG7[2879:2050]: 0 server renegotiatiations requested LOG7[2879:2050]: 0 session cache hits LOG7[2879:2050]: 0 session cache misses LOG7[2879:2050]: 0 session cache timeouts LOG7[2879:2050]: SSL negotiation finished successfully LOG6[2879:2050]: simap opened with TLSv1, cipher RC4-MD5 (128 bits) LOG7[2879:2050]: Socket closed on read LOG5[2879:2050]: Connection closed: 2005 bytes sent to SSL, 853 bytes sent to socket LOG7[2879:2050]: simap finished (0 left) Is there some missing magic that I need to add to my CA, or server certificates? Any ideas at all would be greatfully recieved - this thing is driving me mental! ;-) Cheers, Tim. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
