[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Using a signed *.domain.com with ssl - Getting
From: Pritesh Mehta <pmehta () gnr ! com>
Date: 2006-05-24 9:46:25
Message-ID: 1148463985.29745.17.camel () ketil
[Download RAW message or body]
Hello all,
I have had a good hunt around and am having trouble finding a solution.
I am using stunnel to provide encrypted pop3 access to our mail server,
and we have recently purchased a signed *.XXX.com certificate from
godaddy.
This has been great since I can use the same cert on all our servers,
and this has worked cleanly with the webservices.
However, I am having some issues with the stunnel and pop3 service. I am
not entirely certain whether it is caused by the *.XXX.com certificate
(although I think it unlikely) but was hoping someone more knowledgeable
could enlighten me?
I currently have stunnel configured thusly:
stunnel -f \
-A /etc/stunnel/certs/sf_issuing.pem \
-p /etc/stunnel/certs/wildcard.XXX.com.stunnel.pem \
-r 127.0.0.1:110
Unfortunately my users are getting warnings, and using the openssl
client I get:
$ openssl s_client -connect mail.XXX.com:995
CONNECTED(00000003)
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, \
Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification \
Authority/emailAddress=practices@starfieldtech.com verify error:num=20:unable to get \
local issuer certificate verify return:0
---
Certificate chain
0 s:/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, \
Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification \
Authority/emailAddress=practices@starfieldtech.com 1 \
s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, \
Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification \
Authority/emailAddress=practices@starfieldtech.com i:/L=ValiCert Validation \
Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation \
Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, \
Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification \
Authority/emailAddress=practices@starfieldtech.com
---
No client certificate CA names sent
---
SSL handshake has read 2381 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 4E550C07BDA9661C4B532A28110E5616549CB9FA72D37E5C979E3C6579F8FB99
Session-ID-ctx:
Master-Key: 2E588101AA098463FA40C0353009F5842FA19B1C3D48D9A0000EB2E241EFB70BB10D52FE9BC444344D49653B9FEB25F4
Key-Arg : None
Start Time: 1148463445
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
I am positive this must have been covered before somewhere, but I haven't been able \
to find anything conclusive.
Apologies if I'm covering well trodden ground :)
TIA,
--
Pritesh Mehta <pmehta@gnr.com>
Global Name Registry
_____________________________________________________
Information contained herein is Global Name Registry Proprietary
Information and/or Registry Sensitive Information and is made available
to you because of your interest in or affiliation with our company. This
information is submitted in confidence and its disclosure to you is not
intended to constitute public disclosure or authorization for disclosure
to other parties. Should you have received this email and are not an
intended recipient, please delete this email in its entirety. Global
Name Registry is registered with the Office of the UK Information
Commissioner.
_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic