Sorry, you are right - CAfile/CApath must always be there in order to successfully start stunnel. This is what i tested so far:
CAfile and verify 2 - all clients can connect
CApath and verify 3 - only clients with certs in CAfile/CApath can connect
CAfile and CRLpath with verify 3 - no clients can connect because there is no client certs in CAfile and CRLpath is ignored
 
CApath and CRLpath with verify 3 - only clients with certs in CApath can connect, CRLpath is ignored
CAfile and CRLpath with verify 2 - all clients can connect and CRLpath is ignored

Citējot yyy <yyy@yyy.id.lv>:
On 2011.08.30. 15:19, Uldis Biks wrote:
> Hi,
>
> I`m trying to achieve following setup with stunnel - accept only
> clients with certificates not in Certificate Revocation List
> (CRLpath), but no luck so far.
> I`ve created self signed CA, created 3 certs and with following setup
> i was able to achieve - accept only clients with certificates in
> CApath or CAfile.
>
> cert = /root/stunnel_test/01.pem
> chroot = /root/stunnel_test/chroot/
> verify = 3
> CApath = good_certs/
> ciphers = 3DES:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES
> debug = 7
> output = /root/stunnel_test/stunnel.log
> client = no
> pid = /good_certs/stunnel.pid
> foreground = yes
> [pop3s]
> accept = localhost:37171
> connect = localhost:22
>
> but when i change CApath to CRLpath and verify from 3 to 2, i can
> connect with all certs and client is not disconnected based on
> revocation list.
>
> Can someone help me out? Thanks!
>
> stunnel -version
> stunnel 4.29 on i386-redhat-linux-gnu with OpenSSL 1.0.0-fips 29 Mar 2010
> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
>
CRLpath does not replace CApath. Verifying certificate requires both.
I tried to replace CAfile with CRLfile and stunnel refused to start (it
refuses to start, if there is missing CAfile/CApath)
How did you manage to start stunnel with CApath missing?
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users