Am 09.03.2011 10:14, schrieb kapetr: > Hello, > > > "Victor Duchovni" <victor.ducho...@morganstanley.com> wrote: >>> 1. How to get SSL certificate of smtp.iol.cz >>> (and save it to >>>> file). >> >> Use "openssl s_client -showcerts" > > Thanks - it works. Interesting is, that I get this way only 2 > certificates: > > CN=smtp.iol.cz (issuer CN=Thawte SSL CA) and > CN=Thawte SSL CA (issuer CN=thawte Primary Root CA) > > it is missing the Thawte root certicate CN=thawte Primary Root CA. > Fortunately I have found this certificate is in /etc/ssl/certs.
Since the client needs the root certificate in its trusted store anyways (usually /etc/ssl/certs or /usr/ssl/certs, or /etc/ssl/cert.pem as a bundle, for system-wide OpenSSL installs anyways), there is no point in the server sending it. And if you retrieved it through the same channel that you're fetching the mail through later, you couldn't trust it anyways but would have to configure it separately. > So .. I had to copy these tree certificates in > /var/lib/stunnel4/certs (chroot of stunnel4), > make the "hash" links (with help of openssl x509 -subject_hash > -noout -in xyz), modify my stunnel.conf: > > [ssmtp_client_iol] > client = yes > accept = 10465 > connect = smtp.iol.cz:465 > verify = 3 > CApath = /certs Whatever stunnel's purpose is in your setup (I'm jumping late into the thread), stunnel is generally insecure unless you can make bullet-proof guarantees that nothing else can ever grab port 10465 than this particular stunnel instance. You often can't guarantee that, and someone else can hook a password sniffing application to port 10465 transparently. Setting up a system in a way that it can safely run stunnel is very hard, because the system must prevent stunnel users from running/starting if stunnel isn't up. -- Matthias Andree
