I really like Evolution both for email and its calendaring features. The problem is that one of my email accounts requires an SSL client certificate to be able to connect. Thunderbird supports this out of the box, but Evolution does not. Instead of patching Evolution itself, it would be much easier to just proxy the requests. Here is where stunnel comes in.
Using stunnel, it is possible to setup an SSL connection and have Evolution run an unencrypted channel through it. Since this will open a tunnel directly to the mail-server, it is very important to only bind stunnel to localhost. Otherwise, anyone will be able to use your tunnel to connect to your server!
So in my scenario I want to use a client certificate in SSL. The following command does everything I need:
stunnel -d localhost:9930 -r mail.xx.yy:993 -c -p ~/mail.pem
It will setup a listening socket on port 9930 and connect it to mail.xx.yy port 993 and use mail.pem for the client certificate. Evolution can now be setup using localhost:9930 as the email server and not using SSL encryption, since it will be added by stunnel.
If you would want this for SMTP, which usually uses explicit SSL (you need to start it using STARTTLS), stunnel even has support for that. Just extend the previous command to this.
stunnel -d localhost:20025 -r smtp.xx.yy:25 -c -p ~/mail.pem -n smtp
Using -n smtp will tell stunnel to create the TLS connection before it lets Evolution proceed with its connection.
Hi johnny,
This is a good idea to use stunnel for tunneling purpose. I am also using it to convert https requests to http as haproxy is doing good Load Balancing only for http requests.
Problem: In stunnel I have enabled
sslVersion = all
so that it can support all available ssl versions. but it’s using only SSLv2 and SSLv2+upgrade which is already obsolete. I have also tried it with seperately
sslVersion = SSLv3 and TSLv1 too but nothing is working here.
I am getting an error in log file saying:
SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
some stunnel logs are:
str_stats: 0 blocks, 0 bytes
2012.02.27 01:32:12 LOG7[15369:140023531472624]: local socket: FD=0 allocated (non-blocking mode)
2012.02.27 01:32:12 LOG7[15369:140023531472624]: Service https accepted FD=0 from 173.203.79.216:46154
2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https started
2012.02.27 01:32:12 LOG5[15369:140023531469072]: Service https accepted connection from 173.203.79.216:46154
2012.02.27 01:32:12 LOG7[15369:140023531469072]: SSL state (accept): before/accept initialization
2012.02.27 01:32:12 LOG3[15369:140023531469072]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2012.02.27 01:32:12 LOG5[15369:140023531469072]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.02.27 01:32:12 LOG5[15369:140023531469072]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https finished (0 left)
2012.02.27 01:32:12 LOG7[15369:140023531469072]: str_stats: 0 blocks, 0 bytes
2012.02.27 01:32:12 LOG7[15369:140023531472624]: local socket: FD=0 allocated (non-blocking mode)
2012.02.27 01:32:12 LOG7[15369:140023531472624]: Service https accepted FD=0 from 173.203.79.216:46155
2012.02.27 01:32:12 LOG7[15369:140023531472624]: Service https accepted FD=0 from 173.203.79.216:46155
2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https started
2012.02.27 01:32:12 LOG5[15369:140023531469072]: Service https accepted connection from 173.203.79.216:46155
2012.02.27 01:32:12 LOG7[15369:140023531469072]: SSL state (accept): before/accept initialization
2012.02.27 01:32:12 LOG3[15369:140023531469072]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2012.02.27 01:32:12 LOG5[15369:140023531469072]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https finished (0 left)
Will be thankful to you for your help.
Deepak