Hi,
I am using stunnel in server mode with mutual authentication. The PKI used to authenticate my client is the following : root CA -> Intermediate CA -> Client.
My stunnel configuration is :
CAfile = RootCA.pem
CRLfile = IntermediateCACRL.pem
verify = 2
RootCA.pem contains the Root CA certificate
IntermediateCACRL.pem contains the CRL file of the Intermediate CA
The client authentication with client certificate goes well. The problem occurs when a client certificate is revoked. After the Intermediate CA CRL updates, the client certificate is still accepted whereas it should be refused.
With the following configuration the revoked certificate is refused :
CAfile = IntermediateCA.pem
CRLfile = IntermediateCACRL.pem
verify = 2
but I would prefer using the first configuration.
Everything happens like if stunnel checks the crl only for the CA certificate and not for the whole certification chain.
Thank you for your answers,
Jean-Philippe Constant