Add proper SSL/TLS support for all applications using stunnel

I really like Evolution both for email and its calendaring features. The problem is that one of my email accounts requires an SSL client certificate to be able to connect. Thunderbird supports this out of the box, but Evolution does not. Instead of patching Evolution itself, it would be much easier to just proxy the requests. Here is where stunnel comes in.

Using stunnel, it is possible to setup an SSL connection and have Evolution run an unencrypted channel through it. Since this will open a tunnel directly to the mail-server, it is very important to only bind stunnel to localhost. Otherwise, anyone will be able to use your tunnel to connect to your server!

So in my scenario I want to use a client certificate in SSL. The following command does everything I need:

stunnel -d localhost:9930 -r mail.xx.yy:993 -c -p ~/mail.pem

It will setup a listening socket on port 9930 and connect it to mail.xx.yy port 993 and use mail.pem for the client certificate. Evolution can now be setup using localhost:9930 as the email server and not using SSL encryption, since it will be added by stunnel.

If you would want this for SMTP, which usually uses explicit SSL (you need to start it using STARTTLS), stunnel even has support for that. Just extend the previous command to this.

stunnel -d localhost:20025 -r smtp.xx.yy:25 -c -p ~/mail.pem -n smtp

Using -n smtp will tell stunnel to create the TLS connection before it lets Evolution proceed with its connection.

One thought on “Add proper SSL/TLS support for all applications using stunnel”

  1. Hi johnny,

    This is a good idea to use stunnel for tunneling purpose. I am also using it to convert https requests to http as haproxy is doing good Load Balancing only for http requests.

    Problem: In stunnel I have enabled

    sslVersion = all

    so that it can support all available ssl versions. but it’s using only SSLv2 and SSLv2+upgrade which is already obsolete. I have also tried it with seperately

    sslVersion = SSLv3 and TSLv1 too but nothing is working here.

    I am getting an error in log file saying:

    SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

    some stunnel logs are:

    str_stats: 0 blocks, 0 bytes
    2012.02.27 01:32:12 LOG7[15369:140023531472624]: local socket: FD=0 allocated (non-blocking mode)
    2012.02.27 01:32:12 LOG7[15369:140023531472624]: Service https accepted FD=0 from 173.203.79.216:46154
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https started
    2012.02.27 01:32:12 LOG5[15369:140023531469072]: Service https accepted connection from 173.203.79.216:46154
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: SSL state (accept): before/accept initialization
    2012.02.27 01:32:12 LOG3[15369:140023531469072]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2012.02.27 01:32:12 LOG5[15369:140023531469072]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2012.02.27 01:32:12 LOG5[15369:140023531469072]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https finished (0 left)
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: str_stats: 0 blocks, 0 bytes
    2012.02.27 01:32:12 LOG7[15369:140023531472624]: local socket: FD=0 allocated (non-blocking mode)
    2012.02.27 01:32:12 LOG7[15369:140023531472624]: Service https accepted FD=0 from 173.203.79.216:46155
    2012.02.27 01:32:12 LOG7[15369:140023531472624]: Service https accepted FD=0 from 173.203.79.216:46155
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https started
    2012.02.27 01:32:12 LOG5[15369:140023531469072]: Service https accepted connection from 173.203.79.216:46155
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: SSL state (accept): before/accept initialization
    2012.02.27 01:32:12 LOG3[15369:140023531469072]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2012.02.27 01:32:12 LOG5[15369:140023531469072]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
    2012.02.27 01:32:12 LOG7[15369:140023531469072]: Service https finished (0 left)

    Will be thankful to you for your help.

    Deepak

Leave a Reply