<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7232.36">
<TITLE>[stunnel-users] CRLPath not working </TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<BR>
<P><FONT SIZE=2 FACE="Palatino Linotype">Mike:</FONT>
</P>
<P><FONT SIZE=2 FACE="Palatino Linotype">Here are the configuration and the log files as you requested….</FONT>
</P>
<P><B><FONT SIZE=2 FACE="Palatino Linotype">---------------------------------------------BEGIN CONFIG ---------------------------------</FONT></B>
<BR><FONT FACE="Times New Roman"># switch-simulator stunnel configuration file</FONT>
<BR><FONT FACE="Times New Roman"># Copyright by Michal Trojnara 2002</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># Certs and keys</FONT>
<BR><FONT FACE="Times New Roman">cert = /etc/certs/demoedge2-cert.pem</FONT>
<BR><FONT FACE="Times New Roman">key = /etc/keys/demoedge2-key.pem</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># PID is created inside chroot jail</FONT>
<BR><FONT FACE="Times New Roman">pid = /var/opt/stunnel/stunnel_server.pid</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># Authentication stuff</FONT>
<BR><FONT FACE="Times New Roman">verify = 2</FONT>
<BR><FONT FACE="Times New Roman">options = NO_SSLv2</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># don't forget about c_rehash CApath</FONT>
<BR><FONT FACE="Times New Roman"># it is located inside chroot jail:</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman">CApath = /etc/CApath</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># CRL path or file (inside chroot jail):</FONT>
<BR><FONT FACE="Times New Roman">CRLpath = /etc/crl</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># Some debugging stuff</FONT>
</P>
<P><FONT FACE="Times New Roman">debug = local4.5</FONT>
<BR><FONT FACE="Times New Roman">output = /var/opt/log/pras_test_server.log</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># Use it for client mode</FONT>
<BR><FONT FACE="Times New Roman">#client = no</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman"># Service-level configuration</FONT>
<BR><FONT FACE="Times New Roman"> </FONT>
<BR><FONT FACE="Times New Roman">[APF]</FONT>
<BR><FONT FACE="Times New Roman">accept = 10.172.86.128:51101</FONT>
<BR><FONT FACE="Times New Roman">connect = 127.0.0.1:50111</FONT>
</P>
<P><B><FONT SIZE=2 FACE="Palatino Linotype">----------------------------------------------END CONFIG ----------------------------------</FONT></B>
<BR><B><FONT SIZE=2 FACE="Palatino Linotype">--------------------------------------------- BEGIN LOG FILE -------------------------------</FONT></B>
</P>
<BR>
<P><FONT FACE="Times New Roman">2006.06.11 19:27:25 LOG5[8839:7]: </FONT><FONT COLOR="#FF0000" FACE="Times New Roman">CA CRL: Issuer: /C=US/O=VISA CRL ISSUER></FONT><FONT FACE="Times New Roman">, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT</FONT></P>
<P><FONT FACE="Times New Roman">2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all certificates until you get updated CRL</FONT>
<BR><FONT FACE="Times New Roman">2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned</FONT></P>
<P><FONT FACE="Times New Roman">2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</FONT>
<BR><FONT FACE="Times New Roman">2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225</FONT>
<BR><FONT FACE="Times New Roman">2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=2, /C=US/O=VISA/OU=Visa International Service Association/CN=TEST Visa Info Delivery Root CA</FONT></P>
<P><FONT FACE="Times New Roman">2006.06.12 17:41:52 LOG5[8839:8]: </FONT><FONT COLOR="#FF0000" FACE="Times New Roman">CA CRL: Issuer: /C=US/O=VISA CRL ISSUER></FONT><FONT FACE="Times New Roman">, , lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT</FONT></P>
<P><B><FONT FACE="Times New Roman">2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all certificates until you get updated CRL</FONT></B>
<BR><FONT FACE="Times New Roman">2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned</FONT></P>
<P><FONT FACE="Times New Roman">2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</FONT>
<BR><FONT FACE="Times New Roman">2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371</FONT>
<BR><FONT FACE="Times New Roman">2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=2, </FONT><FONT COLOR="#FF0000" FACE="Times New Roman"><VISA CA></FONT>
<BR><FONT FACE="Times New Roman">2006.06.12 23:01:08 LOG5[8839:9]: </FONT><FONT COLOR="#FF0000" FACE="Times New Roman">CA CRL: Issuer: /C=US/O=VISA CRL ISSUER></FONT><FONT FACE="Times New Roman">, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT</FONT></P>
<P><FONT FACE="Times New Roman">2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all certificates until you get updated CRL</FONT>
<BR><FONT FACE="Times New Roman">2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned</FONT></P>
<P><FONT FACE="Times New Roman">2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</FONT>
</P>
<P><B><FONT SIZE=2 FACE="Palatino Linotype">------------------------------------------- END LOG FILE --------------------------------------</FONT></B>
<BR><FONT SIZE=2 FACE="Courier New">On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote:<BR>
><I> We download crls everyday from a CRL server using LDAP and a cronjob.<BR>
</I>><I> These CRLs are stored in the CRLpath directory along with its hash.<BR>
</I>><I> It appears that the stunnel is not refreshing its cache, and it<BR>
</I>><I> still shows "Found CRL is expired - revoking all certificates until<BR>
</I>><I> you get updated CRL" when we try to connect to it even though there is<BR>
</I>><I> a<BR>
</I>><I> New and valid CRL in the CRLPath folder. Is there a special option<BR>
</I>><I> In Stunnel configuration for it to recognize/cache/add the new hash<BR>
</I>><I> file<BR>
</I><BR>
Just to make sure: the problem disappears after restarting stunnel,<BR>
right?<BR>
<BR>
The simple workaround could be disabling all SSL caches:<BR>
./configure --with-threads=fork<BR>
make clean<BR>
make<BR>
make install<BR>
<BR>
Can you send your stunnel.conf and debug log?<BR>
<BR>
TIA,<BR>
Mike</FONT>
</P>
<BR>
<P><B><FONT COLOR="#808000" SIZE=2 FACE="Arial">Sekhar Nagasundaram</FONT></B>
<BR><FONT FACE="Arial" SIZE=2 COLOR="#000000"> <<Nagasundaram, Sekhar.vcf>> </FONT>
</P>
</BODY>
</HTML>