Re: creating a ssl cert with stunnel
> if it is unsigned i think so. signed certs i think only have to match
> the domain.
but where is the domain listed if not in the the common name of the cert?
> instead of "fixing" your ssl cert look into ditching outlook or fixing
> outlook.
i don't want to do that. i use fetchmail (haven't used windows in
years) but i have friends and family that use my server and they need to
be able to use whatever tools they prefer to check their mail.
> i use sslwrap to provide SSL over IMAP4, with netscape it warns me
> that the host is not the same as the cert as well, because i am
> connecting to a CNAME rather then the real hostname.
i don't think that sslwrap will make a difference unless the certificate
is generated differently.
i figured out how to generate a certificate the way i needed by running
this.
# openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
i just put "." as the answer (which leaves it blank) to all the questions
except cn (which got the fqdn of my server) and email which i put
root@domain in.
fetchmail doesn't give me an error anymore (still waiting to hear back if
outlook works) and the new cert looks like this:
maus(larry)$ sudo openssl x509 -subject -dates -fingerprint -in /etc/ssl/certs/stunnel.pem
subject=/CN=maus.spack.org/Email=root@spack.org
notBefore=Nov 30 00:34:15 2000 GMT
notAfter=Nov 30 00:34:15 2001 GMT
MD5 Fingerprint=34:5C:8F:EA:39:77:86:FB:CB:BC:46:F7:6B:F7:D6:5D
> doesn't cause a problem, just have to click the continue button, and i
> prefer to see that come up so i know SSL is enabled :)
you can do this with a correct cert as well (at least in netscape) just
choose to only accept the certificate for that session.
adam.
Reply to: