I have also been bitten by this problem. I didn't try much though. I just wrote some scripts to automatically restart the stunnel when CRL is updated. It might not be feasible for your case though.<br><br><div class="gmail_quote">
On Wed, Nov 19, 2008 at 6:13 AM, Jason Haar <span dir="ltr"><<a href="mailto:Jason.Haar@trimble.co.nz">Jason.Haar@trimble.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi there<br>
<br>
I got no reply to this. Isn't anyone else using CRLs?<br>
<font color="#888888"><br>
Jason<br>
</font><div><div></div><div class="Wj3C7c"><br>
Jason Haar wrote:<br>
> Hi there<br>
><br>
> Is stunnel capable of re-reading updated CRLs on the fly? Without<br>
> needing to be restarted?<br>
><br>
> I have tried both CRLfile and CRLpath (with the hashes) with no luck. It<br>
> appear stunnel only reads them on startup and never refers to them<br>
> again? There also seems to be no option to send a HUP or the like to<br>
> force a re-read - only a full restart will make stunnel re-read the<br>
> CRLs. i.e. our system works after a fresh restart until the original CRL<br>
> expires, and then stunnel starts rejecting new connections with "Found<br>
> CRL is expired - revoking all certificates until you get updated CRL" -<br>
> even though there have been several CRL file (and hash) updates in<br>
> between. Restarting stunnel makes it start working again.<br>
><br>
> I've googled around and see several other people have asked similar<br>
> questions over the years, and there are references by Michal Trojnara<br>
> that it should work?<br>
><br>
> This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No<br>
> chroot jail<br>
><br>
> Thanks!<br>
><br>
><br>
<br>
<br>
--<br>
Cheers<br>
<br>
Jason Haar<br>
Information Security Manager, Trimble Navigation Ltd.<br>
Phone: +64 3 9635 377 Fax: +64 3 9635 417<br>
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1<br>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@mirt.net">stunnel-users@mirt.net</a><br>
<a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Sandeep Kumar<br><a href="http://students.iiit.ac.in/~sandeep_kr">http://students.iiit.ac.in/~sandeep_kr</a><br>