hello mike,
#1. I added a crlpath in my stunnel.conf and it was picked up on the next start of stunnel as i can see from this log output
2006.11.21 17:49:46 LOG7[18581:3086255808]: Certificate: /etc/stunnel/stunnel.pem 2006.11.21 17:49:46 LOG7[18581:3086255808]: Key file: /etc/stunnel/stunnel.pem 2006.11.21 17:49:46 LOG7[18581:3086255808]: Verify directory set to /etc/stunnel/certificates 2006.11.21 17:49:46 LOG7[18581:3086255808]: CRL directory set to /etc/stunnel/certificates-revoke
#2. i did not have any certs in my capath or crlpath
#3. When i tried to connect from a remote machine, it was denied because it was a self signed cert, as it should.
#4. So then i copied the correctly name *.0 cert file to my CApath and tried connecting again from a remote box This time it connected just fine, as it should
#5 then i moved the cert from the capath to the crlpath When i tried to connect from the remote sensor, it was still able to connect and was able to connect until i restarted stunnel on the local server.
#6. After restarting stunnel on the local server i was not able to connect from the remote client, but i was given the same error as I was on step #3, its not as if the cert was rejected, it just said "bad certificate, self signed cert"
On 11/15/06, Michal Trojnara Michal.Trojnara@mobi-com.net wrote:
On Wednesday 15 November 2006 06:19, Rami Michael wrote:
Thanks for the help guys... but its still acting a little weird
[cut]
However, i tried removing the cert from the CApath directory on the
sensor
side and it seems as though stunnel caches that cert it had read in
until
its restarted.
Stunnel is acting perfectly fine.
Deleting certificates is just not the correct way to revoke them.
http://stunnel.mirt.net/pipermail/stunnel-users/2004-October/000101.html http://stunnel.mirt.net/pipermail/stunnel-users/2005-January/000290.html
Best regards, Mike
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users