Hello
Is it possible to get stunnel to disconnect people on a graceful restart when a certificate has expired? Stunnel version 4.30 added the graceful reload option which is great because it
will allow us to reload the CRLs, keep everybody connected and prevent
new people connecting when their certs have expired (tested and working) - however existing connections are not terminated even though they have just expired... I'm not sure if we've missed a configuration option or if this is just not possible.
A little background:
We host an IRC server listening on localhost:6667, on top of that we have stunnel listening on the external interface port 6697
We're using the CAfile and CRLpath options to ensure that people are connecting with a valid certificate.
Every hour a job runs to download the latest CRL files, if there is a change it restarts stunnel and kicks everybody off (we'd like to use a graceful restart instead)
We are running stunnel on Red Hat Linux using the following line inside an init script to run it as a daemon: daemon /usr/local/bin/stunnel /etc/stunnel/stunnel.conf
Excerpt from stunnel.conf:
setuid = daemon
setgid = daemon
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[irc-in]
CAfile = /etc/ca/our-chains.pem
CRLpath = /etc/crl
accept = 192.168.0.1:6697setuid = daemon
setgid = daemon
connect = localhost:6667
verify = 2
Running stunnel -version tells me:
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options
debug = daemon.notice
pid = /var/run/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /etc/stunnel/stunnel.pem
ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
session = 300 seconds
stack = 65536 bytes
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
Kind Regards
Dave