Hi there
I got no reply to this. Isn't anyone else using CRLs?
Jason
Jason Haar wrote:
Hi there
Is stunnel capable of re-reading updated CRLs on the fly? Without needing to be restarted?
I have tried both CRLfile and CRLpath (with the hashes) with no luck. It appear stunnel only reads them on startup and never refers to them again? There also seems to be no option to send a HUP or the like to force a re-read - only a full restart will make stunnel re-read the CRLs. i.e. our system works after a fresh restart until the original CRL expires, and then stunnel starts rejecting new connections with "Found CRL is expired - revoking all certificates until you get updated CRL" - even though there have been several CRL file (and hash) updates in between. Restarting stunnel makes it start working again.
I've googled around and see several other people have asked similar questions over the years, and there are references by Michal Trojnara that it should work?
This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No chroot jail
Thanks!