Article delegate-en/4057 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] How to verify a server's certificate?
08 Aug 2008 17:53:26 GMT Monika Schilling <p3ehqbdyi-g7ilkrvm4hjr.ml@ml.delegate.org>


Hello,

I succeeded in setting up DeleGate 9.7.7 as a gateway beetween a pop3 client 
and a pop3s server by using this configuration:

  -v
  ADMIN=...
  STLS=fsv
  -P127.0.0.1:50110
  SERVER=pop
  REMITTABLE=pop3s
  MOUNT="//*%S/%S pop3s://pop.1und1.de/*%(1)@%(0)"

After this initial step "make encyption work" I want to wanted to go further 
to "verify the identify of the peer". So I made following change to the 
configuration:

  STLS=fsv

=>

  STLS="fsv,sslway -Vrfy -CAfile CA.pem -vd"

According to the manual I put the file CA.pem into the directory {DGROOT}/lib.

Unfortunately this does not work. DeleGate does not verify the certificate of 
the remote pop3s server: 

==========================================================================
...

08/08 18:13:39.68 [32262] 0+0: --INITIALIZATION START-08080818+0000: 9.7.7 on
  Linux/2.6.18.8-0.10-default--
08/08 18:13:39.68 [32262] 0+0: EXECDIR=/usr/local/bin
08/08 18:13:39.68 [32262] 0+0: BINSHELL=/bin/sh
08/08 18:13:39.68 [32262] 0+0: MAXIMA=delegated:32 for small mem=329M
08/08 18:13:39.68 [32262] 0+0: scan STLS and FILTERS before beDaemon()...
08/08 18:13:39.68 [32262] 0+0: FILTER[sslway]: sslway -Vrfy -CAfile CA.pem -vd
08/08 18:13:39.68 [32262] 0+0: STLS -> CMAP="sslway -Vrfy -CAfile
  CA.pem -vd:FSV:starttls"
08/08 18:13:39.68 [32262] 0+0: --- [z] 0 dglibz.so
08/08 18:13:39.68 [32262] 0+0: --- [z] 0 libz.so.0.9.8
08/08 18:13:39.68 [32262] 0+0: --- [/usr/lib/libz.so]
08/08 18:13:39.68 [32262] 0+0: --- [z] 8380298 /usr/lib/libz.so
08/08 18:13:39.68 [32262] 0+0: ---- [z] loaded 15 syms, unknown=0+0, already=0
08/08 18:13:39.68 [32262] 0+0: +++ loaded Zlib 1.2.3
08/08 18:13:39.68 [32262] 0+0: #### gzip/gunzip = dynamically linked
08/08 18:13:39.68 [32262] 0+0: --- [crypto] 0 dglibcrypto.so
08/08 18:13:39.68 [32262] 0+0: --- [/usr/lib/libcrypto.so.0.9.8]
08/08 18:13:39.68 [32262] 0+0: --- [crypto]
  8380608 /usr/lib/libcrypto.so.0.9.8
08/08 18:13:39.68 [32262] 0+0: --- [crypto] optional:
  SSL_CTX_use_certificate_chain_file
08/08 18:13:39.68 [32262] 0+0: --- [crypto] optional:
  SSL_CTX_set_session_id_context
08/08 18:13:39.68 [32262] 0+0: --- [crypto] optional:
  SSL_CTX_set_generate_session_id
08/08 18:13:39.68 [32262] 0+0: ---- [crypto] loaded 95 syms, unknown=47+3,
  already=0
08/08 18:13:39.68 [32262] 0+0: --- [ssl] 0 dglibssl.so
08/08 18:13:39.68 [32262] 0+0: --- [/usr/lib/libssl.so.0.9.8]
08/08 18:13:39.68 [32262] 0+0: --- [ssl] 8380B50 /usr/lib/libssl.so.0.9.8
08/08 18:13:39.68 [32262] 0+0: ---- [ssl] loaded 95 syms, unknown=0+0,
  already=0
08/08 18:13:39.68 [32262] 0+0: +++ loaded OpenSSL 0.9.8d 28 Sep 2006

...

08/08 18:14:06.69 [32270] 1+0: POP C-S: USER test@mschilling..^M
08/08 18:14:06.69 [32270] 1+0: *** //mschilling.com/test =>
  pop3s://pop.1und1.de/test@mschilling.. ***
08/08 18:14:06.80 [32270] 1+0: ConnectToServer connected [8]
  {212.227.15.178:995 <- 192.168.1.241:36544} [0.111s]
08/08 18:14:06.80 [32270] 1+0: {R} SV[127.0.0.1:53] <-
  241.1.168.192.in-addr.arpa. [PTR]
08/08 18:14:06.80 [32270] 1+0: ## SSLway CFI_TYPE=FSV: -co is assumed
08/08 18:14:06.80 [32270] 1+0: ## SSLway start
08/08 18:14:06.81 [32270] 1+0: ## SSLway CAs = [/home/ms/delegate/lib/CA.pem]
  []
08/08 18:14:06.81 [32270] 1+0: ## SSLway B7ADEB90 loadSession 0.000031 (0
  0) / -1
08/08 18:14:06.93 [32270] 1+0: ## SSLway depth=1/-1 ok=1
  0:"ok" /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
  cc/OU=Certification Services Division/CN=Thawte Premium Server 
  CA/emailAddress=premium-server@thawte..
08/08 18:14:06.93 [32270] 1+0: ## SSLway depth=0/-1 ok=1
  0:"ok" /C=DE/ST=Rheinland-Pfalz/L=Montabaur/O=1 und 1 Internet
  AG/CN=pop.1und1.de
08/08 18:14:07.05 [32270] 1+0: ## SSLway connected
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000010 start
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000013 init done
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000309 begin args
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000314 end args
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000404 end rand_seed
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000600 nodelay set
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.000604 start con/acc
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.004956 ssl_conn() start
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.005079 loadSession NONE
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.005316 before connect
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.250351 after connect
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.250647 saveSession OK
08/08 18:14:07.05 [32270] 1+0: ## SSLway -- 0.250727 start relay ...
08/08 18:14:07.05 [32270] 1+0: ## SSLway server's cert. =
  **subject<</C=DE/ST=Rheinland-Pfalz/L=Montabaur/O=1 und 1 Internet
  AG/CN=pop.1und1.de>> **issuer<</C=ZA/ST=Western Cape/L=Cape Town/O=Thawte
  Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server
  CA/emailAddress=premium-server@thawte..>>
08/08 18:14:07.05 [32270] 1+0: willSTLS_SV: ServerFlags=20330
08/08 18:14:07.20 [32270] 1+0: ## SSLway S-C: 32/32 -> 32
08/08 18:14:07.20 [32270] 1+0: POP S-D: +OK POP server ready H mimap17^M
08/08 18:14:07.20 [32270] 1+0: willSTLS_SV: ServerFlags=220330
08/08 18:14:07.20 [32270] 1+0: POP D-S: USER test@mschilling..^M
08/08 18:14:07.20 [32270] 1+0: ## SSLway C-S: 26/26 -> 26/SSL
08/08 18:14:07.31 [32270] 1+0: ## SSLway S-C: 54/54 -> 54
08/08 18:14:07.31 [32270] 1+0: POP S-D: +OK password required for
  user "test@mschilling.."^M
==========================================================================


Interestingly DeleGate complains about a missing file CA.pem after removal of 
that file:

==========================================================================
...

08/08 18:31:44.44 [32411] 1+0: POP C-S: USER test@mschilling..^M
08/08 18:31:44.44 [32411] 1+0: *** //mschilling.com/test =>
  pop3s://pop.1und1.de/test@mschilling.. ***
08/08 18:31:44.55 [32411] 1+0: ConnectToServer connected [8]
  {212.227.15.178:995 <- 192.168.1.241:47802} [0.108s]
08/08 18:31:44.55 [32411] 1+0: {R} SV[127.0.0.1:53] <-
  241.1.168.192.in-addr.arpa. [PTR]
08/08 18:31:44.55 [32411] 1+0: ## SSLway CFI_TYPE=FSV: -co is assumed
08/08 18:31:44.55 [32411] 1+0: ## SSLway start
08/08 18:31:44.56 [32411] 1+0: builtin-SSLway: ssl_setCAs() failed
08/08 18:31:44.56 [32411] 1+0: ## SSLway CAs not found or wrong: [CA.pem][]
08/08 18:31:44.56 [32411] 1+0: ## SSLway B7B53B90 loadSession 0.000046 (0
  0) / -1
08/08 18:31:44.68 [32411] 1+0: ## SSLway depth=0/-1 ok=0 20:"unable to get
  local issuer certificate" /C=DE/ST=Rheinland-Pfalz/L=Montabaur/O=1 und 1
  Internet AG/CN=pop.1und1.de
08/08 18:31:44.68 [32411] 1+0: ## SSLway connect failed
  32411:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
  verify failed:s3_clnt.c:894:
08/08 18:31:44.68 [32411] 1+0: builtin-SSLway: ssl_conn() failed
  (UNIX) 31:44.682 [32411] --E-SSLway ErrFin 32411 10 -1 
s08/08 18:31:44.68 [32411] 1+0: willSTLS_SV: ServerFlags=20330
08/08 18:31:44.68 [32411] 1+0: disconnected [31] -@[127.0.0.1]localhost:32850
  (20.815s)(0)
==========================================================================


I have no more idea, so I ask for your help.


Monika

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V