Error compiling stunnel

checking for unsigned char... yes
checking size of unsigned char... configure: error: cannot compute sizeof (unsigned char), 77
See `config.log' for more details.
export LD_LIBRARY_PATH=/usr/local/ssl/lib

Run the above export to fix this configure issue with stunnel (assumes you have openssl installed in the default location).

Obtain a certificate for stunnel

Issue the following command:

$ openssl req -new -key server.key -out server.csr

Two files will be generated: client.key and client.csr. Send the client.csr to your CA (Certificate Authority). They will, in turn, issue a private certificate back to you.

stunnel.conf configuration

# Sample qmail-pop3d with relay-ctrl config file
# Paul Foremski ( pavcio(at)users.sf.net )

#
# If Specifying the entire chain in the pem file (shown below)
cert = /usr/local/etc/stunnel/pop.pem

client = no
foreground = no

exec = /var/qmail/bin/qmail-popup
execargs = /var/qmail/bin/qmail-popup mail.gadgetwiz.com /var/qmail/bin/auth_pop /var/qmail/bin/qmail-pop3d Maildir 2>&1

#
# If supplying cert with several files
# 
# Chain file (your CA and your CA's CA)
#Cafile          = /etc/stunnel/chain.pem
#
# Your Cert (issued by your CA)
#cert            = /etc/stunnel/server.crt
#
# Your private RSA key created by 'openssl req'
#key             = /etc/stunnel/server.key
#
#debug = 7
#output = /var/log/stunnel.log

stunnel configuration of .pem files

When used to run a service like pop3s or imaps, stunnel is relateively easy to configure if you have have access to a correct configuration. It's a little bit more complex to configure if you are attempting to chain certs. Chaining certificates is the practice of having one CA (certificate authority) validate the cerificates for another.

The easiest technique for chaining certificates for stunnel is to provide a .pem file with all the certificates in order:

-----BEGIN CERTIFICATE-----
LEAF: Certificate issued by your CA (non-root).
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE (Your CA's Certificate issued by the root CA)
-----END CERTIFICATE-----
-------BEGIN CERTIFICATE-----
ROOT: (The ROOT CA)
-----END CERTIFICATE-----
---BEGIN RSA PRIVATE KEY-----
private client key generated by
openssl req -new -key client.key -out client.csr
-----END RSA PRIVATE KEY-----

Example POP3S Session

$ openssl s_client -connect mail.gadgetwiz.com:pop3s
CONNECTED(00000003)
depth=0 s:/C=US/ST=State/L=City/O=Company/CN=mail.gadgetwiz.net
verify return:1
depth=0 s:/C=US/ST=State/L=City/O=Company/CN=mail.gadgetwiz.net
verify return:1
---
Certificate chain
0 s:/C=US/ST=State/L=City/O=Company/CN=mail.gadgetwiz.net
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=City/O=Company./CN=mail.gadgetwiz.net
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
---
No client certificate CA names sent
---
SSL handshake has read 961 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 9999999999999999999999999999999999999999999999999999999999999999
Session-ID-ctx:
Master-Key: 99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999F
Key-Arg : None
Start Time: 1084316090
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK <21860.1076718099@mail.gadgetwiz.net>
user USERNAME
+OK
pass PASSWORD
+OK
list
1 3713
2 83815
3 6180
4 3813
5 2177
6 4134
7 7168
8 18234
.
retr 1
+OK ???? octets
[[message]]
.
dele 1
+OK
quit
+OK
Connection closed by foreign host.

Last modified on March 15, 2012 | GadgetWiz | © 2004-2012 - GadgetWiz