-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 02.03.2016 19:05, Fritz Gschwendner wrote:
My questions:
Is this intended behaviour? I find it logical to check the CRL of a client certificate, if there is one in the CRLfile, if there isn't, to not check.
Yes, this is the intended behaviour. For many years stunnel used its own (quite ugly) CRL checking code, which ignored missing CRLs. Since stunnel 5.24 I switched to the more strict built-in OpenSSL CRL verification. The new functionality, if enabled, requires a valid CRL for a CA before a certificate signed by this CA can be accepted. The underlying concept is called "fail-secure" or "fail-closed".
Does a CRL distribution point configured in a client certificate play any role?
If by the "CRL distribution point" you mean Indirect CRL (as defined in RFC 3280, section 5), then they are currently ignored by stunnel. The support is on my TODO list: https://www.stunnel.org/sdf_todo.html
Best regards, Mike