Hello, I noticed a change in functionality of CRL checking in server mode somewhere between stunnel version 5.2.00 and 5.31.00. We have multiple services listening for incoming connections and a global option CRLfile = crls.pem, with crls.pem containing a few CRLs but not one for every possible client certificate, and client certificates not all having a CRL distribution point configured. This worked with the old version in the sense that all clients could connect. I don't know If CRL checking really worked, they are all empty and I can't test. With the new version client certificates with no CRL and no CRL distribution point configured got rejected with errors "CERT: Pre-verification error: unable to get certificate CRL" and "SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed" If I remove the global entry for CRLfile with the new version, all clients can connect again. I guess I could enter the CRLfile option on service level, but it could be that some client certificates connecting to a specific service have a CRL and some don't. My questions: Is this intended behaviour? I find it logical to check the CRL of a client certificate, if there is one in the CRLfile, if there isn't, to not check. Does a CRL distribution point configured in a client certificate play any role?