[stunnel-users] Re: Need a clean way to reject a client IP

On 28.09.21 10:07, robin.kerdiles@emanrisk.fr wrote:

If I set a wrong certificate on client side, my server logs get spammed

[...]

The cpu usage goes up to 35% and it seems there is no way to set a timeout before trying to reconnect on client side (which is not the perfect fix by the way).

On server side, I don't know if we are supposed to be able to do something about that (for example rate limiting the requests ?).

Yeah, I've pretty much given up on CRLing ex-clients from various OpenVPN servers for similar reasons - they don't handle outright rejects in a server-friendly (backing off) way, either. Cutting the worst of them off by other means, like iptables, is the way to go IMHO ...

Regards,