Hi,
I want to control access to a through stunnel reachable service. Only those clients shall be allowed to use the service which provide a known certificate. I have found the option "CApath"; can this directory be used to collect all client certificates? Or is it absolutely necessary to have CA certs there?
Another thing in this environment: I do not know or own every CA certificate used by the clients - I only get the client certificates itself. So I want to do only a one-level client cert verification. Which verify level do I need for this? 2 or 3?
What about removing certificates from the CApath directory? Do I have to restart stunnel to make this change be effective?
Another thing: since the client certificates are not revoked by us I am not able to use CRLs for controlling access to our service.
Hi,
From my limited use of Stunnel, I have determined that you do not need to
restart Stunnel after you remove client certificates. Stunnel check the certificate every time the client connects, so if it is there for one connection and not the next, then the 2nd connection will fail as it should.
Not 100% sure about the others. Sorry.
Paul.
From: "Nardmann, Heiko" heiko.nardmann@secunet.com Reply-To: "Nardmann, Heiko" Heiko.Nardmann@secunet.com To: stunnel-users@mirt.net Subject: [stunnel-users] Q: controlled access to service? Date: Wed, 13 Jul 2005 15:10:34 +0200
Hi,
I want to control access to a through stunnel reachable service. Only those clients shall be allowed to use the service which provide a known certificate. I have found the option "CApath"; can this directory be used to collect all client certificates? Or is it absolutely necessary to have CA certs there?
Another thing in this environment: I do not know or own every CA certificate used by the clients - I only get the client certificates itself. So I want to do only a one-level client cert verification. Which verify level do I need for this? 2 or 3?
What about removing certificates from the CApath directory? Do I have to restart stunnel to make this change be effective?
Another thing: since the client certificates are not revoked by us I am not able to use CRLs for controlling access to our service.
-- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50 << attach4 >> _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_________________________________________________________________ Have fun with your mobile! Ringtones, wallpapers, games and more. http://fun.mobiledownloads.com.au/191191/index.wl
"Nardmann, Heiko" heiko.nardmann@secunet.com wrote:
What about removing certificates from the CApath directory? Do I have to restart stunnel to make this change be effective?
This question was already answered: http://stunnel.mirt.net/pipermail/stunnel-users/2004-December/000192.html Why are you asking it again?
Best regards, Mike