Hi,

I am using stunnel in server mode with mutual authentication. The PKI used to authenticate my client is the following : root CA ->  Intermediate CA -> Client.

My stunnel configuration is :

CAfile = RootCA.pem

CRLfile = IntermediateCACRL.pem

verify = 2

RootCA.pem contains the Root CA certificate

IntermediateCACRL.pem contains the CRL file of the Intermediate CA

The client authentication with client certificate goes well. The problem occurs when a client certificate is revoked. After the Intermediate CA CRL updates, the client certificate is still accepted whereas it should be refused.

With the following configuration the revoked certificate is refused :

CAfile = IntermediateCA.pem

CRLfile = IntermediateCACRL.pem

verify = 2

but I would prefer using the first configuration.

Everything happens like if stunnel checks the crl only for the CA certificate and not for the whole certification chain.

Thank you for your answers,

Jean-Philippe Constant