I cannot make SSL to work on Solaris 2.7 (long post)

Sun, 02 Dec 2001 13:40:10 -0800 

Greetings,

This is the whole setup i made to use SSL with Qpper
(is working good but without SSL):

1) Install OpenSSL under Solaris
(http://www.openssl.org/):
./config
make
make test
make install

2) Install the entropy socket daemon egd, because
Solaris doesn't have a /dev/random:
(http://www.lothar.com/tech/crypto/,
http://egd.sourceforge.net/,
http://prdownloads.sourceforge.net/egd/egd-0.8.README)

perl Makefile.PL
make
make test
make install

And add the following script to your /etc/init.d
directory:

#! /bin/sh
#
# start/stop the egd (Entropy Generator) Daemon
# This daemon generate a device called /dev/egd-pool
# as a source of random numbers for Unix
# Link as /etc/rc2.d/S99egd and /etc/rc2.d/K99egd
# [EMAIL PROTECTED] - 01/12/2001

case "$1" in

'start')
        # Start the egd deamon
        if [ -f /usr/local/bin/egd.pl ]; then
                echo "starting EGD daemon"
                /usr/local/bin/egd.pl /dev/egd-pool
fi
        ;;

'stop')
        # Stop the egd deamon
        PID=`/usr/bin/ps -e -u 0|/usr/bin/fgrep
egd.pl|/usr/bin/awk '{print $1}'`
        if [ ! -z "$PID" ] ;  then
                /usr/bin/kill ${PID} 1>/dev/null 2>&1
        fi
        ;;
esac

And start the daemon:

/etc/init.d/egd start

3) To compile and configure Qpopper
./configure --with-openssl=/usr/local/ssl
--enable-log-facility=LOG_MAIL --enable-log-login
--enable-specialauth
make

4) Create the digital certificate:

(Wait like 10 min to allow the egd to gather enough
entropy)

Please read:
http://www.sendmail.org/~ca/email/other/cagreg.html

To make certificate authority:
cd /usr/local/openssl
mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /usr/local/openssl/openssl.cnf.sample
/usr/local/ssl/openssl.cnf
vi /usr/local/ssl/openssl.cnf   (set values, use
absolute routes)
openssl req -new -x509 -keyout private/cakey.pem -out
cacert.pem -days 365 -config
/usr/local/ssl/openssl.cnf -rand /dev/egd-pool

To make a new certificate:
openssl req -nodes -new -x509 -keyout newreq.pem -out
newreq.pem -days 365 -config
/usr/local/ssl/openssl.cnf -rand /dev/egd-pool

(certificate and private key in file newreq.pem) To
sign new certificate with certificate authority:
openssl x509 -x509toreq -in newreq.pem -signkey
newreq.pem -out tmp.pem
openssl ca -config /usr/local/ssl/openssl.cnf -policy
policy_anything -out newcert.pem -infiles tmp.pem
rm -f tmp.pem



5) Prepare the qopper.conf file to use ssl
(/usr/local/etc/qpopper.conf):
set tls-support= stls
set
tls-server-cert-file='/usr/local/ssl/CA/newcert.pem'
set
tls-private-key-file='/usr/local/ssl/CA/newreq.pem'

6) Now install and configure the rest of Qppoper
(http://www.eudora.com/qpopper) :
./configure --enable-log-facility=LOG_MAIL
--enable-log-login --enable-specialauth
--with-openssl=/usr/local/ssl
make
make install

Add a like like this to the /etc/inetd.conf:
pop3 stream tcp nowait root /usr/local/sbin/popper
qpopper -f /usr/local/etc/qpopper.conf -s

7) Make sure pop is listed in your /etc/services file
# cat /etc/services | grep pop
pop2            109/tcp         pop-2           # Post
Office Protocol - V2
pop3            110/tcp                         # Post
Office Protocol - Version 3
pop-2           109/tcp                         # Post
Office

And add the openssl library to the LD_LIBRARY_PATH in
/etc/profile:

# System wide libraries - Jose Vicente
([EMAIL PROTECTED])
LD_LIBRARY_PATH=/usr/local/ssl/lib
LD_RUN_PATH=/usr/local/ssl/lib

8) restart inetd.conf (example):
# ps -ef|grep inetd
    root  6014     1  0 20:40:29 ?        0:01
/usr/sbin/inetd -s
    root 29990  9286  0 13:58:34 pts/4    0:00 grep
inetd
# kill -HUP  6014

9) Connect to the port 110 at localhost to test the
instalation:
# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Qpopper (version 4.0.3) at lenbkx0001 starting.  
^]
telnet> q
Connection closed.

Netscape and Outlook are able to connect to this setup
without using SSL; If i set up SSL the clients just
hangs up or throws an error.

Also if i change the configuration to this (to support
netscape 6 for example):
# http://80211b.weblogger.com/2001/08/12
set tls-support = alternate-port
#set tls-support = none
#set tls-support= stls
set
tls-server-cert-file='/usr/local/ssl/CA/newcert.pem'
set
tls-private-key-file='/usr/local/ssl/CA/newreq.pem'

I just get a "Connection refused error" when going to
the port 995!.

Any ideas are welcome, thanks in advance

JV.

=====
System Engineer, Jos� Vicente Nu�ez Zuleta ([EMAIL PROTECTED])
Newbreak System Administrator (http://www.newbreak.com)
Phone: 203-355-1511, 203-355-1510
Java 2 Certified Programmer
Java 2 Certified Developer

_________________________________________________________
Do You Yahoo!?
�Quieres armar tu pr�pia p�gina Web pero no sabes HTML?
Usa los asistentes de edici�n de Yahoo! Geocities
y tendr�s un sitio en s�lo unos minutos.
Vis�tanos en http://espanol.geocities.yahoo.com

Reply via email to