#Stunnel install country name code
Now I use SquirrelMail’s native SSL code for IMAP communication. At one time, SquirrelMail, the webmail package I use, used Stunnel to talk to my IMAP server on Callisto. You’ll notice that there is a third service, called imaps, listed in the config file but that it is commented out. This is the certificate presented if a server asks Stunnel for a client certificate.įor each of the two services listed in the file, Stunnel is forwarding connections from a port on the loopback interface to the server Mail (my alias for Callisto). If the server certificate can’t be verified, Stunnel will drop the connection.īecause Stunnel is running in client mode, the cert parameter in this case specifies Io’s client certificate.
#Stunnel install country name verification
The configuration file specifies a verification level of 2 which means that Stunnel will always look for a server certificate and check it against the Certificate Authority root certificate specified by the CAfile parameter. Client mode can be a little misleading, however, since even in this mode there is still a long lived Stunnel process always running on Io. This means what you might expect programs on Io will be initiating connections with Callisto. Like Callisto, this file descibes two services for which Stunnel sets up port forwardings. Don't forget to c_rehash CRLpath CRLpath is located inside chroot jail: Don't forget to c_rehash CApath CApath is located inside chroot jail: On Io, Stunnel’s configuration file is also located in /usr/local/etc/stunnel/etc. It took some playing with the configuration file before I realized this. However, the CAfile, cert, and key parameters require absolute paths. The pid parameter uses a path relative to that specified by the chroot parameter. One tricky bit I found when setting up the chroot jail is that the configuration file is not consistent in its use of pathnames. The same applies to the connect parameter in Io’s configuration file.
I’m using the alias hostname ‘mail’ in my configuration files but I could have used ‘callisto’ if I had wished. Notice that I’ve used a hostname in the accept parameter in both configuration files. The smtp service does no verification of peer certificates. You will notice in the configuration file that verify is set to 3 for the pop3pw service. With version 4.15, I’m able to set verify on a per service basis allowing me to define both services in the same configuration file. Since the two services I run require different verify levels, I needed to run two Stunnel instances. Prior to version 4.15, the verify parameter could only be set as a global option in the configuration file. Since Stunnel is accepting connections from remote locations, I thought this only prudent. Stunnel runs with reduced privileges under the user and group ‘stunnel’ in a chroot jail. See the Certificates section for more information on the certificates I use with Stunnel. If Stunnel cannot verify the client certificate, it will refuse the connection. Stunnel will then check the certificate against the certificate chain located in CAfile. If Stunnel is configured to ask for a client certificate, clients must present a certificate when connecting. The CAfile parameter specifies the file where client certificates and Certificate Authority root certificates are located. If a client is configured to ask for a server certificate, this is the certificate Stunnel will present to it. When run in daemon mode, Stunnel requires a server certificate which is specified by the cert parameter. On Callisto, Stunnel runs in daemon mode. Some debugging stuff useful for troubleshooting CRLfile = /usr/local/etc/stunnel/crls.pem Some security enhancements for UNIX systems - comment them out on Win32ĬAfile = /usr/local/share/certs/cacerts.pem Key = /usr/local/share/certs/stunnel-mailkeycert.pem nf Certificate/key is needed in server mode and optional in client modeĬert = /usr/local/share/certs/stunnel-mailkeycert.pem Here is the configuration file of the stunnel instance running on Callisto. See my DNS & DHCP Setup Doc for more information. This is an alias for Callisto that I’ve set up in DNS. The Stunnel configuration files I describe reference a machine called Mail. Both machines are running versions of FreeBSD and I installed Stunnel from the ports tree using the standard ‘make’, ‘make install’ procedure. I have Stunnel running on Callisto and Io. You will find an overview, including a very nice diagram, of the Arda Network here. It is a way to secure inherently insecure programs against packet sniffing eavesdroppers. Stunnel allows third-party programs to communicate across a network through a secure channel (using SSL) without requiring the programs to incorporate SSL code themselves. This document describes how I use Stunnel on the Arda Network.
0 kommentar(er)
