On 2005-01-31, at 15:24, Heiko Nardmann wrote:
Since I want to write CRL files from all relevant CAs based on a regular (daily) basis I wonder whether it is necessary to restart stunnel if the contents of the CRL or CA directory changes.
The regular part is going to be handled by a cronjob which does an LDAP search which results in the CA certificate and crl files.
How does stunnel work in this situation? Do I need a restart after a cron run or not?
The rule is simple and effective: - stunnel (as well as OpenSSL library) handles *adding* a (hashed) file to the CApath and/or CRLpath without restart, - all other operations, including changing CAfile and CRLfile (they are outside of the chroot jail, so they're not accessible to a running stunnel daemon) and removing a file (they're cached for better performance), require restarting stunnel.
BTW: Removing a certificate should *not* be used to revoke it. CRLs should be used to revoke certificates!
Best regards, Mike