I have also been bitten by this problem. I didn't try much though. I just wrote some scripts to automatically restart the stunnel when CRL is updated. It might not be feasible for your case though.
On Wed, Nov 19, 2008 at 6:13 AM, Jason Haar Jason.Haar@trimble.co.nzwrote:
Hi there
I got no reply to this. Isn't anyone else using CRLs?
Jason
Jason Haar wrote:
Hi there
Is stunnel capable of re-reading updated CRLs on the fly? Without needing to be restarted?
I have tried both CRLfile and CRLpath (with the hashes) with no luck. It appear stunnel only reads them on startup and never refers to them again? There also seems to be no option to send a HUP or the like to force a re-read - only a full restart will make stunnel re-read the CRLs. i.e. our system works after a fresh restart until the original CRL expires, and then stunnel starts rejecting new connections with "Found CRL is expired - revoking all certificates until you get updated CRL" - even though there have been several CRL file (and hash) updates in between. Restarting stunnel makes it start working again.
I've googled around and see several other people have asked similar questions over the years, and there are references by Michal Trojnara that it should work?
This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No chroot jail
Thanks!
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users