[stunnel-users] Using a signed *.domain.com with ssl - Getting

Hello all,

I have had a good hunt around and am having trouble finding a solution.

I am using stunnel to provide encrypted pop3 access to our mail server,
and we have recently purchased a signed *.XXX.com certificate from
godaddy.

This has been great since I can use the same cert on all our servers,
and this has worked cleanly with the webservices.

However, I am having some issues with the stunnel and pop3 service. I am
not entirely certain whether it is caused by the *.XXX.com certificate
(although I think it unlikely) but was hoping someone more knowledgeable
could enlighten me?

I currently have stunnel configured thusly:

stunnel -f \
-A /etc/stunnel/certs/sf_issuing.pem \
-p /etc/stunnel/certs/wildcard.XXX.com.stunnel.pem \
-r 127.0.0.1:110


Unfortunately my users are getting warnings, and using the openssl
client I get:



$ openssl s_client -connect mail.XXX.com:995
CONNECTED(00000003)
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
---
No client certificate CA names sent
---
SSL handshake has read 2381 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 4E550C07BDA9661C4B532A28110E5616549CB9FA72D37E5C97 9E3C6579F8FB99
Session-ID-ctx:
Master-Key: 2E588101AA098463FA40C0353009F5842FA19B1C3D48D9A000 0EB2E241EFB70BB10D52FE9BC444344D49653B9FEB25F4
Key-Arg : None
Start Time: 1148463445
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---


I am positive this must have been covered before somewhere, but I haven't been able to find anything conclusive.

Apologies if I'm covering well trodden ground :)

TIA,


--
Pritesh Mehta <pmehta@gnr.com>
Global Name Registry


__________________________________________________ ___

Information contained herein is Global Name Registry Proprietary
Information and/or Registry Sensitive Information and is made available
to you because of your interest in or affiliation with our company. This
information is submitted in confidence and its disclosure to you is not
intended to constitute public disclosure or authorization for disclosure
to other parties. Should you have received this email and are not an
intended recipient, please delete this email in its entirety. Global
Name Registry is registered with the Office of the UK Information
Commissioner.


_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users