LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-23-2003, 01:21 AM   #1
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Rep: Reputation: 58
Stunnel for POP3 server


I replaced an expired CA certificate (stunnel.pem) used by stunnel for a POP3 server (prepared by someone else), with a new, also self-issued certificate, and from that time on, MS Outlook clients connecting to the mailboxes start with an annoying error message saying that the validity of the certificate cannot be verified.
Is there a workaround to avoid the error message and still use a self-issued CA certificate with stunnel?
 
Old 05-23-2003, 05:11 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
I think there are two possibilities: import the cert in wintendo and setting up your own CA.
 
Old 05-23-2003, 07:49 AM   #3
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
Thanks for your attention!

Sure, I am the illiterate, since I could not figure out what is that "wintendo" you mentioned in your previous message. Google search did not help either. So, could you give me some more details?

As concerns setting up our own CA:
I found a good document describing how to setup our own CA: http://sial.org/howto/openssl/ca/
I did all steps exactly as described in the 'CA setup' and 'Signing Certificates' section of the above mentioned document.

I imported the cacert.pem file into IE, so it is now among the root certificates known by IE. I also concatenated the host.key and cacert.pem files in stunnel.pem, and let stunnel use it.

But, when I connect to any mailbox, the following message pops up:
"A certificate chain processed correctly, but terminated in a root certificate that is not trusted by the trust provider"

What did I do wrong?

Last edited by J_Szucs; 05-23-2003 at 08:18 AM.
 
Old 05-23-2003, 12:07 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
"A certificate chain processed correctly, but terminated in a root certificate that is not trusted by the trust provider"

Seems the CA you imported is not recognized as a root CA like those from Thawthe, Verisign etc etc. Gotta check if it is in the Trusted root certificates authority tree. The "IE way" is described in the bottom half of this page. (Never thought I'd ever link to docs on the Wintendo site here). As administrator on W2K you could use the mmc and check for any cert snap-ins (msc's).
 
Old 05-24-2003, 05:48 PM   #5
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
Thanks to your help, I could solve the problem.
There were two issues:
- the CAcert.pem had to be manually imported into the root certificates folder of IE
- the second issue was a bit amazing: I had to generate a new certificate for stunnel, with a CN (common name) parameter of mail.foo.bar and also had to re-configure the outlook clients to connect to the pop3 server by the same name (mail.foo.bar) and not by IP address.

Just one more question:

Does the fact that I imported the root CAcert into MSIE clients involve a security risk?
I mean, if the windows clients are compromised, the certificate may get into the hands of unauthorized persons. If so, can they generate their own certificates that seem valid?
(This would involve that I should withdraw the old CA certificate and issue a new one anytime a windows machine is compromised).

What is you opinion?

Last edited by J_Szucs; 05-24-2003 at 05:50 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pop3 server amadkow Linux - Software 5 11-17-2004 04:35 PM
where is the pop3 server in 9.2? mishunimi Mandriva 2 02-04-2004 06:28 PM
pop3 server? fredws Mandriva 1 11-07-2003 10:21 AM
best pop3 server sirjosi Linux - Networking 1 10-23-2003 03:03 PM
pop3 server chamkila Linux - Software 1 08-12-2003 10:44 AM


All times are GMT -5. The time now is 06:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration