Re: please help with openssl + imap.

1999-07-16 Thread John Fulmer 

Try the following URL. It works for me with all versions of stunnel...

http://www.dtcc.edu/cs/admin/notes/ssl/



On Thu, 15 Jul 1999, John Castillo wrote:

> Hello All,
> 
> Argghh.. where did my hair go!
> 
> I have been trying to configure SSL for use with my current imap server (Cyrus).  I 
>found a couple or reference pages which point to SSLeay (openssl) and stunnel which 
>would allow me to configure an SSL environment for Cyrus.  If you could please help 
>with some suggestions or explanation of the error messages I'm getting, you're 
>awesome (because the key/cert/SSL part is stumping me).  This is what I've done so 
>far.
> 
> built SSLeay0.8.1b
> built stunnel3.4a with RSAglue library
> added the proper entry in /etc/inetd.conf
>   -namely simap stream tcp nowait cyrus /usr/local/sbin/stunnel -D 7 -l 
>/usr/cyrus/bin/imapd imapd
> 
> Everything looks good but now I get this error everytime one of my clients (outlook 
>express or Netscape messenger) tries
> to connect to the SSL secure IMAP server...
> 
> 
> Jul 15 17:45:20 phoenix stunnel[12524]: Wrong permissions on /usr/local/ssl/cert
> s/stunnel.pem
> Jul 15 17:45:20 phoenix stunnel[12524]: Could not load DH parameters from /usr/l
> ocal/ssl/certs/stunnel.pem
> Jul 15 17:45:20 phoenix stunnel[12524]: Diffie-Hellman initialization failed
> Jul 15 17:45:20 phoenix stunnel[12524]: stunnel 3.4a on i686-pc-linux-gnu PTHREA
> D+LIBWRAP
> Jul 15 17:45:20 phoenix stunnel[12524]: 7 connected from 172.16.0.227:3679
> 
> It seems to WORK though.. I'm just wondering what all the DH errors are all about.
> 
> John C.
> 
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA licensing for OpenSSL usage?

1999-04-28 Thread John Fulmer 

On Wed, 28 Apr 1999, Eric Norman wrote:

> 
> 
> > The relevant patent is the one on the RSA cryptography algorithm.
> > It expires in September 2000.  It is in the US only.  Outside the US,
> > the algorithm is not patented.
> 
> Just make sure you understand what you can and cannot do in a few
> months when the RSA patent expires.
> 
> This may or may not mean that you can use the code in SSLeay or Openssl
> that implements the RSA algorithm.  The copyright for that code
> belongs to Eric Young.
> 

According to the OpenSSL and SSLeay licences, which is what OpenSSL is
released under, OpenSSL can be used for personal, public, and commercial
projects and products as long as certain copyright notices are made in the
products' documentation, and credit is given where credit is due.

It is much less restrictive than the GNU license, but the copyright is
still owned by Eric Young and/or Tim Hudson for the SSLeay portions.
'Permission' for commercial products is only required for use of the
phrase 'OpenSSL'.

In a nutshell, this means that you definately CAN use this code.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Netscape 4.5.1 and SMTP and such.

1999-04-28 Thread John Fulmer 

Hello!

Next question, slightly offtopic.

I've been working with openssl and stunnel to get Netscape Communicator's
SSl mail services to work.

IMAP and POP3, of course, work fine. SMTP is a different story.

Now, the way I understand it, there are three options for SMTP under
netscape 4.51:

1) No encyption
2) If available (EHLO STARTTLS negotiation)
3) Always (SSL tunnel)

(Information was from a newsgroup article by someone from Netscape)

Now, using a SSL wrapper like stunnel should work with option 3 and
specifying the SMTP server as "server:xxx" where xxx is the port number
that the tunnel is using (like the smtps port of 465).

The only thing is that it doesn't work. :( Has anyone seen this work or am
I missing something, or is Communicator just broken? 

This is with stunnel 3.2 and openssl .9.2b


jf


(Output from stunnel -D 7 for anyone who MIGHT be interested..)

[root@appin stunnel]# /usr/sbin/stunnel -d 465 -D 7 -f -l
/usr/sbin/sendmail -- sendmail -bs -v
LOG7[26087:1024]: Service name to be used: sendmail
LOG7[26087:1024]: Certificate: /usr/local/ssl/certs/stunnel.pem
LOG7[26087:1024]: Generating 512 bit temporary RSA key...
LOG7[26087:1024]: Temporary RSA key generated
LOG5[26087:1024]: stunnel 3.2 on i686-pc-linux-gnu PTHREAD+LIBWRAP
LOG7[26087:1024]: sendmail bound to 0.0.0.0:465
LOG7[26091:1025]: sendmail started
LOG5[26091:1025]: sendmail connected from 127.0.0.1:4406
LOG7[26091:1025]: Local service connected
LOG7[26092:1025]: Child created


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL, STunnel, and Netscape 4.51..

1999-04-27 Thread John Fulmer 


Hello!

I am having the damnest time with OpenSSL and STunnel, and wanted to see
if anyone could give me a swift kick in the right direction :)...

I installed OpenSSL on a Linux box (actually used a RedHat package) and it
looks okay. Compiled stunnel 3.1, did a 'make install', a 'make cert', and
put everything (at least stunnel.pem) where OpenSSL and Stunnel expected
them (/usr/local/ssl/certs, in this case).

Fired up stunnel. For a test, I tried just a remote tunnel to an existing
web site, 208.217.112.65):

/usr/sbin/stunnel -d 443 -r 208.217.112.65:80 -D 7 -f

LOG7[20252:1024]: Service name to be used: 208.217.112.65.80
LOG7[20252:1024]: Certificate: /usr/local/ssl/certs/stunnel.pem
LOG7[20252:1024]: Generating 1024 bit temporary RSA key...
LOG7[20252:1024]: Temporary RSA key generated
LOG5[20252:1024]: stunnel 3.1 on i686-pc-linux-gnu PTHREAD+LIBWRAP
LOG7[20252:1024]: 208.217.112.65.80 bound to 0.0.0.0:443


Looks good at this point. I hit it with my browser (Netscape 4.51) and
stunnel's output says:

LOG7[20261:1025]: 208.217.112.65.80 started
LOG5[20261:1025]: 208.217.112.65.80 connected from 127.0.0.1:2225
LOG7[20261:1025]: 208.217.112.65.80 connecting 208.217.112.65:80
LOG7[20261:1025]: Remote host connected
LOG3[20261:1025]: SSL_accept: error:::lib(0) :func(0) :reason(0)
LOG7[20261:1025]: 208.217.112.65.80 finished (0 left)

All I get from the browser is an error message "Netscape has encountered
bad data from the server"

However, if I use openssl's s_client, I get the following:




[root@appin jfulmer]# /usr/local/ssl/bin/openssl s_client -connect
localhost:443 -ssl3
CONNECTED(0003)
LOG7[20274:1025]: 208.217.112.65.80 started
LOG5[20274:1025]: 208.217.112.65.80 connected from 127.0.0.1:2227
LOG7[20274:1025]: 208.217.112.65.80 connecting 208.217.112.65:80
LOG7[20274:1025]: Remote host connected
depth=0 /C=US/O=Sprint/CN=appin/CN=localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/O=Sprint/CN=appin/CN=localhost
verify return:1
---
Certificate chain
 0 s:/C=US/O=Sprint/CN=appin/CN=localhost
   i:/C=US/O=Sprint/CN=appin/CN=localhost
---
Server certificate
-BEGIN CERTIFICATE-
MIICDzCCAXigAwIBAgIBADANBgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJVUzEP
MA0GA1UEChMGU3ByaW50MQ4wDAYDVQQDEwVhcHBpbjESMBAGA1UEAxMJbG9jYWxo
b3N0MB4XDTk5MDQyNjIyMjAyNVoXDTAwMDQyNTIyMjAyNVowQjELMAkGA1UEBhMC
VVMxDzANBgNVBAoTBlNwcmludDEOMAwGA1UEAxMFYXBwaW4xEjAQBgNVBAMTCWxv
Y2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoYIYA2zfdB9tw+7K
z5WhwmyIOLIKKH+HaoP8no0C2/zbbEXqEeaSwybKugRqObNGlaIuMrgp/nYvatll
ouyr2Uc0KPH0H4jFptOQJaAZEamczFj1+XurVuefzq/kY+9oqZR0/yPCRyeky0+4
EelTtdZxq8+GJr9Ix/3DmohJ5ucCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZA
MA0GCSqGSIb3DQEBBAUAA4GBAEfraw3F4pEvxdXWNsaKUSraM7ef/z880NspGHlI
b3a0LZE55BLqpBJ2GpyfWxBgoZkdD4E3/GpbPVkqddV7kWLwcO1yub+68cRmu6vB
qn5zssy1YAe354xAI8oKYLY+BYAWOymI8E2AgiAN5hpY2Y7yuc8hR3YH37QLuI0T
n/6l
-END CERTIFICATE-
subject=/C=US/O=Sprint/CN=appin/CN=localhost
issuer=/C=US/O=Sprint/CN=appin/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 709 bytes and written 288 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : SSLv3
Cipher: DES-CBC3-SHA
Session-ID:
841A5F4EA645452280903510827D27184487D8E2398CCD86402FE448D0A5E0E4
Session-ID-ctx: 
Master-Key:
DC03F0A5BF07769C886F5C68847E70332E521CAEA8DA181E93A98C87EDBC190A
24E62F93DA0763F79540290BD1C10D24
Key-Arg   : None
Start Time: 925218962
Timeout   : 7200 (sec)
---
LOG7[20274:1025]:1 items in the session cache
LOG7[20274:1025]:0 client connects (SSL_connect())
LOG7[20274:1025]:0 client connects that finished
LOG7[20274:1025]:0 client renegotiatations requested
LOG7[20274:1025]:1 server connects (SSL_accept())
LOG7[20274:1025]:1 server connects that finished
LOG7[20274:1025]:0 server renegotiatiations requested
LOG7[20274:1025]:0 session cache hits
LOG7[20274:1025]:0 session cache misses
LOG7[20274:1025]:0 session cache timeouts
LOG6[20274:1025]: 208.217.112.65.80 opened with SSLv3, cipher DES-CBC3-SHA
(192 
bits)
http
HTTP/1.1 405 Method not allowed
Connection: close

405 Method not allowed
LOG7[20274:1025]: Socket closed on read
LOG5[20274:1025]: Connection closed: 5 bytes in, 78 bytes out
LOG7[20274:1025]: 208.217.112.65.80 finished (0 left)
read:errno=0




Which appears to be working correctly.

On another note, it seems to work fine with IE5 under NT. (EEK!)

So, can anyone see what Netscape 4.51 is having problems with as far as
the certificate is concerned. I know the cert is issued for and by
localhost, but it should still work, correct?

Thanks,

jf


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]