Suggested earlier (see This icq..) config for running icq (pidgin) through stunnel is insecure! Though it provides encryption, it does not verify certificates, because stunnel's default is 'verify=0'. So, here is how to fix it, but for debian wheezy. First let's obtain icq server certificate: $ openssl s_client -CApath /etc/ssl/certs -no_ssl2 -connect slogin.icq.com:443 {{{ depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com verify error:num=27:certificate not trusted verify return:1 depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com verify error:num=21:unable to verify the first certificate verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE 1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0 gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N 2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS -----END CERTIFICATE----- subject=/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA --- No client certificate CA names sent --- SSL handshake has read 2350 bytes and written 646 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0A46A932CAC9CBE1538DFDBD0468BCEF8477AD38107619B541847345E0C4F9A1 Session-ID-ctx: Master-Key: A13FB34C8C89F8BE6A71AB43BEDC9C17BCD60D202A4AC0D08D842499D5C6C35A6E5CD153C79708BB5E10E84180B59864 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 90 7c 82 27 8a 55 1e c6-e0 e6 f8 02 92 02 87 87 .|.'.U.......... 0010 - 38 99 60 ef 42 6b 61 1f-b9 b3 94 97 ea 70 2f fd 8.`.Bka......p/. 0020 - 22 70 54 3f 1a 42 78 79-09 2c 01 04 b2 f5 98 17 "pT?.Bxy.,...... 0030 - db 97 de 8b 63 74 e2 60-8e dd 16 ef 43 9e f2 75 ....ct.`....C..u 0040 - 44 04 51 60 7c 36 ac bb-70 39 d8 58 05 8b 46 dc D.Q`|6..p9.X..F. 0050 - 6a 8f d7 15 53 bb 03 be-ad 72 ff 89 8b 85 b4 65 j...S....r.....e 0060 - e7 2f 43 7e bc 1d d8 6e-1b 3e 24 67 84 49 f9 cb ./C~...n.>$g.I.. 0070 - c1 41 93 ca 98 e2 3f b9-b5 20 c9 95 d5 40 8b 44 .A....?.. ...@.D 0080 - b1 92 c0 4c c7 3f 25 bc-f5 60 15 db 74 70 83 94 ...L.?%..`..tp.. 0090 - 4e 5c f2 f5 6d bc 7a aa-26 22 6f 41 12 b6 bf ab N\..m.z.&"oA.... Start Time: 1353063260 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- }}} here it is in text form: $ openssl x509 -text -noout -in icq.pem {{{ Certificate: Data: Version: 3 (0x2) Serial Number: 93176 (0x16bf8) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: May 16 11:00:58 2012 GMT Not After : Aug 16 22:09:10 2017 GMT Subject: serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C=US, ST=Delaware, L=Wilmington, O=ICQ LLC, CN=*.icq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:65:11:7a:fd:6e:d9:87:18:06:00:28:26:e8: a5:23:35:74:f2:70:01:95:79:ba:f6:f1:4b:1f:24: 88:0a:6b:23:31:a0:37:f4:5a:64:f1:50:e3:64:4c: 6b:2a:43:12:ed:e9:da:30:d4:d9:9b:60:16:44:6e: 43:62:c6:f5:9e:c1:1a:27:45:4b:29:98:97:b4:c5: 33:a4:b5:0a:42:36:39:0c:84:d5:49:6e:8f:15:5b: 37:95:77:21:a2:bf:6f:f9:9b:1c:59:3a:b4:16:4c: 9f:56:25:4a:0c:56:4c:4f:1b:db:d3:f1:41:42:39: 9b:ae:99:60:36:05:4e:60:b9:b7:d8:f0:1f:3c:6c: 61:c8:13:59:93:3e:3c:3a:ea:b2:6d:2b:92:19:06: 53:8b:a3:87:e1:54:63:7d:05:d3:6f:cb:09:4c:c9: 9f:5c:3e:8d:6f:4b:79:99:cc:9e:7f:9a:02:4c:a6: a3:76:64:7b:e8:99:49:9e:6f:50:b1:6b:d7:54:9c: e3:00:56:99:1b:85:80:72:80:24:dc:0a:30:17:db: a1:9a:d1:95:8e:08:24:8f:b7:d0:11:f5:42:fa:25: 3d:7b:57:aa:3b:c4:20:40:bc:bb:1f:33:da:b0:fa: 84:31:43:82:c1:cb:49:8a:19:e0:09:c5:6b:03:f8: f2:65 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.icq.com, DNS:icq.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: 4E:63:CD:A0:78:E1:CE:BF:7F:1D:44:E8:E8:5B:C0:CE:A3:17:39:36 X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt Signature Algorithm: sha1WithRSAEncryption 20:35:fa:f2:1d:e1:66:b3:a0:05:18:7b:38:9f:fb:89:84:f5: 5a:e5:f1:61:c3:0c:11:3a:a4:c8:cb:4a:05:a5:ec:34:81:7a: 5d:27:3b:a3:23:36:d4:6f:e1:66:54:d1:94:c6:22:dc:d6:f6: c8:7b:4c:6f:13:83:6e:71:87:eb:1a:4d:59:c8:32:76:71:c4: 3f:72:13:4e:03:45:56:fa:8a:66:1f:80:99:5a:7c:6c:a2:4d: 78:d4:05:60:ef:a4:9c:bd:02:dd:56:0e:34:fa:c7:df:3b:ab: 0a:fe:e4:ae:28:ed:3f:a4:a1:b4:f9:d9:56:23:ba:54:a0:b1: 0f:d8:30:52:8a:35:ec:11:d4:ed:4b:a0:21:1b:11:cb:04:60: 75:5e:b3:06:ef:91:67:f1:26:c6:7c:ba:4c:6b:aa:20:46:d5: 82:17:62:86:69:df:7d:30:61:3e:2e:1c:67:25:7f:8d:d8:c1: bc:a1:08:2b:40:f9:ce:7a:fb:7b:56:ac:85:79:03:78:17:58: 17:6f:ba:19:97:b4:a5:bb:84:07:00:a2:11:8a:88:1d:8a:99: fa:3d:bd:0a:10:50:a2:4b:c3:48:36:95:74:53:36:e5:75:7b: 6c:12:45:0f:e1:68:8f:fc:7b:18:a0:30:42:1d:06:d6:00:ce: 41:01:b5:92 }}} and now let's try to verify it: $ openssl verify -CApath /etc/ssl/certs icq.pem icq.pem: serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com error 20 at 0 depth lookup:unable to get local issuer certificate So, something is missing in the certificate chain. Let's try to follow it step-by-step. $ openssl x509 -issuer -issuer_hash -noout -in icq.pem issuer= /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 5e5a5bcb $ find /etc/ssl/certs -name 5e5a5bcb.0 $ Certificate for "GeoTrust SSL CA" is missing. It can be obtained from geotrust site knowledge.geotrust.com/id=SO15169 or knowledge.geotrust.com/id=AR1423 Missing certificate is the one named "GT_SecondaryIntermediate_TrueBusinessID_EnterpriseSSL": $ openssl x509 -subject -subject_hash -noout -in GT_SecondaryIntermediate_TrueBusinessID_EnterpriseSSL.pem subject= /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 5e5a5bcb Now i can install it into /etc/ssl/certs. It should be referenced (either renamed or by symlink) by subject hash ending with '.0' in order for openssl to find it (and certificate should be redable by 'other', so user 'stunnel4' can read it): $ ls -l /etc/ssl/certs/5e5a5bcb.0 lrwxrwxrwx 1 root root 19 11月 15 20:28 /etc/ssl/certs/5e5a5bcb.0 -> GeoTrust_SSL_CA.pem $ ls -l /etc/ssl/certs/GeoTrust_SSL_CA.pem -rw-r--r-- 1 root root 1416 11月 15 20:27 /etc/ssl/certs/GeoTrust_SSL_CA.pem Let's check certificate chain further: $ openssl x509 -issuer -issuer_hash -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2c543cd1 $ ls -l /etc/ssl/certs/2c543cd1.0 lrwxrwxrwx 1 root root 22 11月 15 19:50 /etc/ssl/certs/2c543cd1.0 -> GeoTrust_Global_CA.pem $ ls -l /etc/ssl/certs/GeoTrust_Global_CA.pem lrwxrwxrwx 1 root root 57 10月 5 16:56 /etc/ssl/certs/GeoTrust_Global_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt $ openssl x509 -subject -issuer -issuer_hash -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2c543cd1 So, all other certificates are present. The last certificate (GeoTrust_Global_CA.pem) is self-signed root CA certificate. I can check this by looking for CA:TRUE in text dump $ openssl x509 -text -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem {{{ Certificate: Data: Version: 3 (0x2) Serial Number: 144470 (0x23456) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Validity Not Before: May 21 04:00:00 2002 GMT Not After : May 21 04:00:00 2022 GMT Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df: 3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8: 43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29: bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4: 60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3: ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92: 2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d: 80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14: 15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd: d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6: d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5: 5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39: 19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05: 9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2: fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32: eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07: 36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b: e4:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E X509v3 Authority Key Identifier: keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E Signature Algorithm: sha1WithRSAEncryption 35:e3:29:6a:e5:2f:5d:54:8e:29:50:94:9f:99:1a:14:e4:8f: 78:2a:62:94:a2:27:67:9e:d0:cf:1a:5e:47:e9:c1:b2:a4:cf: dd:41:1a:05:4e:9b:4b:ee:4a:6f:55:52:b3:24:a1:37:0a:eb: 64:76:2a:2e:2c:f3:fd:3b:75:90:bf:fa:71:d8:c7:3d:37:d2: b5:05:95:62:b9:a6:de:89:3d:36:7b:38:77:48:97:ac:a6:20: 8f:2e:a6:c9:0c:c2:b2:99:45:00:c7:ce:11:51:22:22:e0:a5: ea:b6:15:48:09:64:ea:5e:4f:74:f7:05:3e:c7:8a:52:0c:db: 15:b4:bd:6d:9b:e5:c6:b1:54:68:a9:e3:69:90:b6:9a:a5:0f: b8:b9:3f:20:7d:ae:4a:b5:b8:9c:e4:1d:b6:ab:e6:94:a5:c1: c7:83:ad:db:f5:27:87:0e:04:6c:d5:ff:dd:a0:5d:ed:87:52: b7:2b:15:02:ae:39:a6:6a:74:e9:da:c4:e7:bc:4d:34:1e:a9: 5c:4d:33:5f:92:09:2f:88:66:5d:77:97:c7:1d:76:13:a9:d5: e5:f1:16:09:11:35:d5:ac:db:24:71:70:2c:98:56:0b:d9:17: b4:d1:e3:51:2b:5e:75:e8:d5:d0:dc:4f:34:ed:c2:05:66:80: a1:cb:e6:33 }}} So, now i can retry to verify icq.pem: $ openssl verify -CApath /etc/ssl/certs icq.pem icq.pem: OK and retry to connect with s_client: $ openssl s_client -no_ssl2 -CApath /etc/ssl/certs -connect slogin.icq.com:443 {{{ depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA verify return:1 depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE 1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0 gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N 2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS -----END CERTIFICATE----- subject=/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA --- No client certificate CA names sent --- SSL handshake has read 2350 bytes and written 646 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: D83D7835F45FEC6BFFDA7FEA5584BE344771457F27447318AE448FD030D838F4 Session-ID-ctx: Master-Key: 2AB4312122BB75F8507F060A438546C7679E257472B6CB3C362A9A3D2E113569D0A8D362A1F3797A22104E12B8F1B820 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 90 7c 82 27 8a 55 1e c6-e0 e6 f8 02 92 02 87 87 .|.'.U.......... 0010 - ff 94 d2 2f 96 76 05 bf-bf 40 31 27 9a 9e e1 f2 .../.v...@1'.... 0020 - 5f 58 83 c3 e5 f8 20 e5-23 ac 44 fd 6f dd b7 47 _X.... .#.D.o..G 0030 - 0c b5 24 2e ff 2f 7c 7d-7b d7 fd 96 71 3a 9c b0 ..$../|}{...q:.. 0040 - df da 83 0d 9d f8 57 8b-a1 db 92 79 5a c3 ff ab ......W....yZ... 0050 - d8 47 4a 98 25 a7 e6 a8-02 aa fd c5 2f 63 6a 12 .GJ.%......./cj. 0060 - aa 6e 18 b5 a5 f4 6d 8b-8e 7f ec 05 31 af 1d b4 .n....m.....1... 0070 - 6e bb 1b 26 12 b1 75 f4-32 3c 8d 58 85 20 74 3e n..&..u.2<.X. t> 0080 - ed b0 c4 1d 66 62 5b 78-07 58 e5 f2 20 7d 2c d6 ....fb[x.X.. },. 0090 - 6c 52 4a f0 f4 8a fb 5e-45 68 76 4a f6 24 ec 50 lRJ....^EhvJ.$.P Start Time: 1353064478 Timeout : 300 (sec) Verify return code: 0 (ok) --- }}} Since all is ok, now it's time to fix stunnel's config. Actually, i only need a few things: - set CApath correctly. - set 'verify=2'. - Ensure, that CApath and _all_ pathes referenced by symlinks from it are accessible under stunnel's chroot. Here is config: $ cat /etc/stunnel/oscaricq.conf {{{ ; ************************************************************************** ; * Global options * ; ************************************************************************** ; A copy of some devices and system files is needed within the chroot jail ; Chroot conflicts with configuration file reload and many other features ; Remember also to update the logrotate configuration. chroot = /var/lib/stunnel4/ ; Chroot jail can be escaped if setuid option is not used setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /var/run/stunnel4-oscaricq.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib ; Debugging stuff (may useful for troubleshooting) debug = 7 output = /var/log/stunnel-oscaricq.log ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /etc/ssl/certs ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail CRLpath = /etc/ssl/crls ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** ; SSL client mode services [oscaricq] client = yes accept = 127.0.0.1:5190 connect = slogin.icq.com:443 delay = yes ; vim:ft=dosini }}} and here is mount binds for stunnel: $ grep /etc/fstab -estunnel4 /etc/ssl/certs /var/lib/stunnel4/etc/ssl/certs none bind 0 0 /etc/ssl/crls /var/lib/stunnel4/etc/ssl/crls none bind 0 0 /usr/share/ca-certificates /var/lib/stunnel4/usr/share/ca-certificates none bind 0 0 /var/log/stunnel4 /var/lib/stunnel4/var/log none bind 0 0 /var/run/stunnel4 /var/lib/stunnel4/var/run none bind 0 0 Only two of them required: bind of '/etc/ssl/certs' and bind of '/usr/share/ca-certificates'. Then if all done right, after starting stunnel and connecting to icq (for pidgin config see This icq.."), log should have something like: # tail -f /var/log/stunnel4/stunnel-oscaricq.log {{{ 2012.11.16 15:38:00 LOG7[9931:3073583936]: Service [oscaricq] accepted (FD=3) from 127.0.0.1:33082 2012.11.16 15:38:00 LOG7[9931:3077692272]: Service [oscaricq] started 2012.11.16 15:38:00 LOG7[9931:3077692272]: Waiting for a libwrap process 2012.11.16 15:38:00 LOG7[9931:3077692272]: Acquired libwrap process #0 2012.11.16 15:38:00 LOG7[9931:3077692272]: Releasing libwrap process #0 2012.11.16 15:38:00 LOG7[9931:3077692272]: Released libwrap process #0 2012.11.16 15:38:00 LOG7[9931:3077692272]: Service [oscaricq] permitted by libwrap from 127.0.0.1:33082 2012.11.16 15:38:00 LOG5[9931:3077692272]: Service [oscaricq] accepted connection from 127.0.0.1:33082 2012.11.16 15:38:01 LOG6[9931:3077692272]: connect_blocking: connecting 64.12.201.159:443 2012.11.16 15:38:01 LOG7[9931:3077692272]: connect_blocking: s_poll_wait 64.12.201.159:443: waiting 10 seconds 2012.11.16 15:38:01 LOG5[9931:3077692272]: connect_blocking: connected 64.12.201.159:443 2012.11.16 15:38:01 LOG5[9931:3077692272]: Service [oscaricq] connected remote server from 192.168.2.13:56501 2012.11.16 15:38:01 LOG7[9931:3077692272]: Remote socket (FD=14) initialized 2012.11.16 15:38:01 LOG7[9931:3077692272]: SNI: host name: slogin.icq.com 2012.11.16 15:38:02 LOG7[9931:3077692272]: Starting certificate verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2012.11.16 15:38:02 LOG5[9931:3077692272]: Certificate accepted: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2012.11.16 15:38:02 LOG7[9931:3077692272]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 2012.11.16 15:38:02 LOG5[9931:3077692272]: Certificate accepted: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 2012.11.16 15:38:02 LOG7[9931:3077692272]: Starting certificate verification: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com 2012.11.16 15:38:02 LOG5[9931:3077692272]: Certificate accepted: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com 2012.11.16 15:38:02 LOG6[9931:3077692272]: SSL connected: new session negotiated 2012.11.16 15:38:02 LOG6[9931:3077692272]: Negotiated TLSv1/SSLv3 ciphersuite: RC4-SHA (128-bit encryption) 2012.11.16 15:38:02 LOG6[9931:3077692272]: Compression: null, expansion: null 2012.11.16 15:38:02 LOG7[9931:3077692272]: Socket closed on read 2012.11.16 15:38:02 LOG7[9931:3077692272]: Sending close_notify alert 2012.11.16 15:38:02 LOG6[9931:3077692272]: SSL_shutdown successfully sent close_notify alert 2012.11.16 15:38:02 LOG7[9931:3077692272]: SSL closed on SSL_read 2012.11.16 15:38:02 LOG7[9931:3077692272]: Sent socket write shutdown 2012.11.16 15:38:02 LOG5[9931:3077692272]: Connection closed: 172 byte(s) sent to SSL, 353 byte(s) sent to socket 2012.11.16 15:38:02 LOG7[9931:3077692272]: Remote socket (FD=14) closed 2012.11.16 15:38:02 LOG7[9931:3077692272]: Local socket (FD=3) closed 2012.11.16 15:38:02 LOG7[9931:3077692272]: Service [oscaricq] finished (0 left) }}} That's all, i think.
пятница, 16 ноября 2012 г.
icq through stunnel: enable certificate verification.
Подписаться на:
Комментарии к сообщению (Atom)
Комментариев нет:
Отправить комментарий