<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19088">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2 face=Arial>hmm, it works for me. (CAfile and CRLfile vith
verify=2). What is the contents of your CRLpath?</FONT></DIV>
<DIV><FONT size=2 face=Arial>It is supposed to contain CRL's.</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=biks_u@inbox.lv href="mailto:biks_u@inbox.lv">Uldis Biks</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=stunnel-users@stunnel.org
href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, August 31, 2011 9:09
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [stunnel-users] CRL</DIV>
<DIV><BR></DIV>Sorry, you are right - CAfile/CApath must always be there in
order to successfully start stunnel. This is what i tested so far:<BR>CAfile
and verify 2 - all clients can connect<BR>CApath and verify 3 - only clients
with certs in CAfile/CApath can connect<BR>CAfile and CRLpath with verify 3 -
no clients can connect because there is no client certs in CAfile and CRLpath
is ignored<BR>
<DIV id=sig_upper> </DIV>CApath and CRLpath with verify 3 - only clients
with certs in CApath can connect, CRLpath is ignored<BR>CAfile and CRLpath
with verify 2 - all clients can connect and CRLpath is ignored<BR><BR>
<DIV class=noTransl>Citējot <STRONG>yyy <A
href="mailto:yyy@yyy.id.lv"><yyy@yyy.id.lv></A></STRONG>:</DIV>
<BLOCKQUOTE
style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex">On
2011.08.30. 15:19, Uldis Biks wrote:<BR>> Hi,<BR>><BR>> I`m trying
to achieve following setup with stunnel - accept only<BR>> clients with
certificates not in Certificate Revocation List<BR>> (CRLpath), but no
luck so far.<BR>> I`ve created self signed CA, created 3 certs and with
following setup<BR>> i was able to achieve - accept only clients with
certificates in<BR>> CApath or CAfile.<BR>><BR>> cert =
/root/stunnel_test/01.pem<BR>> chroot =
/root/stunnel_test/chroot/<BR>> verify = 3<BR>> CApath =
good_certs/<BR>> ciphers = 3DES:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES<BR>>
debug = 7<BR>> output = /root/stunnel_test/stunnel.log<BR>> client =
no<BR>> pid = /good_certs/stunnel.pid<BR>> foreground = yes<BR>>
[pop3s]<BR>> accept = localhost:37171<BR>> connect =
localhost:22<BR>><BR>> but when i change CApath to CRLpath and verify
from 3 to 2, i can<BR>> connect with all certs and client is not
disconnected based on<BR>> revocation list.<BR>><BR>> Can someone
help me out? Thanks!<BR>><BR>> stunnel -version<BR>> stunnel 4.29
on i386-redhat-linux-gnu with OpenSSL 1.0.0-fips 29 Mar 2010<BR>>
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Auth:LIBWRAP<BR>><BR>CRLpath does not replace CApath. Verifying
certificate requires both.<BR>I tried to replace CAfile with CRLfile and
stunnel refused to start (it<BR>refuses to start, if there is missing
CAfile/CApath)<BR>How did you manage to start stunnel with CApath
missing?<BR>_______________________________________________<BR>stunnel-users
mailing
list<BR>stunnel-users@stunnel.org<BR>http://stunnel.mirt.net/mailman/listinfo/stunnel-users</BLOCKQUOTE><BR><BR>
<DIV id=sig_lower> </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>stunnel-users
mailing
list<BR>stunnel-users@stunnel.org<BR>http://stunnel.mirt.net/mailman/listinfo/stunnel-users<BR></BLOCKQUOTE></BODY></HTML>