Page 1 of 1

SSL via stunnel

Posted: 2004-03-09 04:47
by chow
http://www.vajri.com/ftp/

stunnel.zip
openssl-0.9.7c.tar.gz


Install openssl if you need to create the private key and public certificate. If you already have a certificated and key (make a .pem file with the key first, a blank line, then then cert and a blank line), then just unzip the stunnel.zip file, and edit the conf file as desired.

After that:

stunnel -install

with install it as an windows service.

Posted: 2004-08-15 21:34
by Horas
I was succesful configuring stunnell myself but I use an other config-file:

cert= signed cert file
key=unencrypted key
ciphers=DES-CBC3-SHA:IDEA-CBC-MD5

[SECURE_IMAP]
accept=993
connect=143

[SECURE_POP3]
accept=995
connect=110

[SECURE_SMTP]
accept=465
connect=25

works at least with pop3.

I did not create this special stunnel-certificate with private kay and certificate (that just did'nt work), I just used the private rsa-key I created with OpenSSL (NOT the CA-key!)in one file (reffered to in the key parameter) and the certificate, which is signed by the CA.

I don't if this is the optimal configuration or if it is realy secure, I'm still trying to figure out how to configure everything correctly - but perhaps it may help some people.

better confiig-file infos of stunnel: http://www.stunnel.org/faq/stunnel.html

(after reading lots of openssl documentations, the style of the man page is quiite familiar for me ^^)

Feel free to contact me if you have suggestions, better configurations or questions (though I might nopt be able to answer them!)

hmail_ssl.20.horas@spamgourmet.com

Posted: 2005-04-20 22:31
by Demoric
I'm trying to do the ssl pop3/imap/smtp, but clients can't seem to connect.

I've opened addtional ports on my fiewall, and router I'm thinking it's a misconfiguration, if you have any suggestions they'd be appreciated.

Here's my stunnel.conf file.

Code: Select all

CApath = C:/apache2triad/opssl/cert/
CAfile = certificate.crt
cert = C:/apache2triad/opssl/cert/certificate.crt
key = C:/apache2triad/opssl/cert/privkey.pem
RNDfile = C:/apache2triad/opssl/cert/stunnel.rnd
output = C:/apache2triad/opssl/cert/stunnel.log
ciphers = DES-CBC3-SHA:IDEA-CBC-MD5
service = HmailStunnel
debug = 7
;taskbar = no
;accept = [host:]port

[SECURE_IMAP]
accept=993
connect=143

[SECURE_POP3]
accept=995
connect=110

[SECURE_SMTP]
accept=465
connect=25 

Posted: 2005-04-20 23:08
by Duffin444
Have you guys had a chance to poke around with sslexplorer? Might be worth checking out, I use it all the time, though not for mail.

-Duffin

Re: SSL via stunnel

Posted: 2005-06-29 21:48
by JasonMcFeetors
chow wrote:http://www.vajri.com/ftp/

stunnel.zip
openssl-0.9.7c.tar.gz


Install openssl if you need to create the private key and public certificate. If you already have a certificated and key (make a .pem file with the key first, a blank line, then then cert and a blank line), then just unzip the stunnel.zip file, and edit the conf file as desired.

After that:

stunnel -install

with install it as an windows service.
Chow,

Any chance that you would be willing to write a tutorial on how to do this? I hate to beg but I will! :wink:

Jason

Posted: 2006-03-04 03:28
by benn600
I just setup Stunnel and have got the SSL tunneling working great except Thunderbird keeps reporting an expired certificate. I've tried OpenSSL but I have no idea how to get a .pem file out of this program? I am not familiar with the program or SSL in general. Thanks!

Posted: 2006-03-07 03:04
by theTerran
Are you creating a root cert or "user" cert? You can use the following commands with OpenSSL...

root certificate:

Code: Select all

$ cd /etc/ssl/CA/CA-DB
$ openssl req -new -x509 -days 365 -keyout private/cakey.pem -out cacert.pem
"user" cert:

Code: Select all

$ cd /etc/ssl/CA
$ openssl req -new -keyout nameofkey.pem -out nameofcert-req.pem
For either instance, enter info like your PEM pass phrase and Distinguished Name details when prompted.

...of course, I always recommend learning about what you're doing before you blindly follow some unreferenced commands off some forum! :roll:

Posted: 2006-03-07 03:06
by theTerran
Oh yes -- you will also need to sign your certificate once created.

Code: Select all

$ openssl ca -out dmanncert.pem -infiles dmanncert-req.pem
See what I mean about following blindly? There's lots I'm sure I haven't thought of just because it has been a while since I set up my certificate server and issued a few certs.

Posted: 2006-03-09 20:28
by benn600
The problem I have is that I don't know where I can enter those commands in. Should I use the command prompt in Windows XP? I don't think it would work...?

Posted: 2006-03-09 21:04
by theTerran
Alas, this is yet another example of how hard it can be to help someone in another environment. There are so many variables to consider!

We run multiple operating systems in our shop, and have OpenSSL running on OpenBSD. That's why you see the "$" prompt at the beginning of each line -- this is the standard command prompt for a non-root user on OpenBSD. So, if you are running on Windows, you will need to reinterpret the command "cd /etc/ssl/CA/CA-DB", which simply changes to the CA-DB (Certificate Authority DataBase) directory.

Does OpenSSL run on Windows? I'm not sure... If so, then you would likely use the same or equivalent commands to generate and sign certificates in your Windows environment. Generating a certificate request can be done on pretty much any machine with OpenSSL; signing the certificate must be done on the certificate authority, or CA.

You know, I'm really not the right person to teach you about SSL. My initial response was prompted by your comment/question
benn600 wrote:I've tried OpenSSL but I have no idea how to get a .pem file out of this program?
...in response to which I offered exactly that: how to get a .pem file out of OpeSSL! Any further instruction is not only outside of the scope of this forum, but also outside what I can suggest without knowing your environment a lot better.

At this point you may wish to take your questions on SSL to a better resource: the openssl-users mailing list, whose archives and subscription information can be found on the OpenSSL Support page.

Good luck, and I hope you get everything working! If you do and want to contribute back, a HowTo in the appropriate forum here would probably be aprpeciated by other users.

Regards,

Posted: 2006-04-03 11:41
by ldsandon
benn600 wrote:The problem I have is that I don't know where I can enter those commands in. Should I use the command prompt in Windows XP? I don't think it would work...?
Yes, you have to do it at the command prompt. Why shouldn't it work? Most programs ported from *nix system require to use a command line interface.

Posted: 2006-08-10 21:30
by neoform
I seem to have it working, however for whatever reason, in Thunderbird i don't see the cert being stored (even though i'm connected using SSL)..

isn't it standard for thunderbird to download the server's cert?