[stunnel-users] CRLPath not working

Mike:

Here are the configuration and the log files as you requested….

---------------------------------------------BEGIN CONFIG ---------------------------------
# switch-simulator stunnel configuration file
# Copyright by Michal Trojnara 2002

# Certs and keys
cert = /etc/certs/demoedge2-cert.pem
key = /etc/keys/demoedge2-key.pem

# PID is created inside chroot jail
pid = /var/opt/stunnel/stunnel_server.pid

# Authentication stuff
verify = 2
options = NO_SSLv2

# don't forget about c_rehash CApath
# it is located inside chroot jail:

CApath = /etc/CApath

# CRL path or file (inside chroot jail):
CRLpath = /etc/crl

# Some debugging stuff

debug = local4.5
output = /var/opt/log/pras_test_server.log

# Use it for client mode
#client = no

# Service-level configuration

[APF]
accept = 10.172.86.128:51101
connect = 127.0.0.1:50111

----------------------------------------------END CONFIG ----------------------------------
--------------------------------------------- BEGIN LOG FILE -------------------------------

2006.06.11 19:27:25 LOG5[8839:7]: CA CRL: Issuer: /C=US/O=VISA CRL ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT

2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all certificates until you get updated CRL
2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225
2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=2, /C=US/O=VISA/OU=Visa International Service Association/CN=TEST Visa Info Delivery Root CA

2006.06.12 17:41:52 LOG5[8839:8]: CA CRL: Issuer: /C=US/O=VISA CRL ISSUER>, , lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT

2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all certificates until you get updated CRL
2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371
2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=2, <VISA CA>
2006.06.12 23:01:08 LOG5[8839:9]: CA CRL: Issuer: /C=US/O=VISA CRL ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT

2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all certificates until you get updated CRL
2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

------------------------------------------- END LOG FILE --------------------------------------
On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote:
> We download crls everyday from a CRL server using LDAP and a cronjob.
> These CRLs are stored in the CRLpath directory along with its hash.
> It appears that the stunnel is not refreshing its cache, and it
> still shows "Found CRL is expired - revoking all certificates until
> you get updated CRL" when we try to connect to it even though there is
> a
> New and valid CRL in the CRLPath folder. Is there a special option
> In Stunnel configuration for it to recognize/cache/add the new hash
> file

Just to make sure: the problem disappears after restarting stunnel,
right?

The simple workaround could be disabling all SSL caches:
./configure --with-threads=fork
make clean
make
make install

Can you send your stunnel.conf and debug log?

TIA,
Mike

Sekhar Nagasundaram
<<Nagasundaram, Sekhar.vcf>>