On 2011.08.30. 15:19, Uldis Biks wrote:

Hi,

I`m trying to achieve following setup with stunnel - accept only clients with certificates not in Certificate Revocation List (CRLpath), but no luck so far. I`ve created self signed CA, created 3 certs and with following setup i was able to achieve - accept only clients with certificates in CApath or CAfile.

cert = /root/stunnel_test/01.pem chroot = /root/stunnel_test/chroot/ verify = 3 CApath = good_certs/ ciphers = 3DES:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES debug = 7 output = /root/stunnel_test/stunnel.log client = no pid = /good_certs/stunnel.pid foreground = yes [pop3s] accept = localhost:37171 connect = localhost:22

but when i change CApath to CRLpath and verify from 3 to 2, i can connect with all certs and client is not disconnected based on revocation list.

Can someone help me out? Thanks!

stunnel -version stunnel 4.29 on i386-redhat-linux-gnu with OpenSSL 1.0.0-fips 29 Mar 2010 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

CRLpath does not replace CApath. Verifying certificate requires both. I tried to replace CAfile with CRLfile and stunnel refused to start (it refuses to start, if there is missing CAfile/CApath) How did you manage to start stunnel with CApath missing?