-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Since I want to write CRL files from all relevant CAs based on a regular (daily) basis I wonder whether it is necessary to restart stunnel if the contents of the CRL or CA directory changes.
The regular part is going to be handled by a cronjob which does an LDAP search which results in the CA certificate and crl files.
How does stunnel work in this situation? Do I need a restart after a cron run or not?
Thanks in advance!
- -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50
Besuchen Sie uns vom 10. - 16. März auf der CeBIT 2005 in Halle 7, Stand D38.
Informationen zu unseren CeBIT-Themen finden Sie unter www.secunet.com outbind://44/www.secunet.com - wir freuen uns auf das Gespräch mit Ihnen.
On 2005-01-31, at 15:24, Heiko Nardmann wrote:
Since I want to write CRL files from all relevant CAs based on a regular (daily) basis I wonder whether it is necessary to restart stunnel if the contents of the CRL or CA directory changes.
The regular part is going to be handled by a cronjob which does an LDAP search which results in the CA certificate and crl files.
How does stunnel work in this situation? Do I need a restart after a cron run or not?
The rule is simple and effective: - stunnel (as well as OpenSSL library) handles *adding* a (hashed) file to the CApath and/or CRLpath without restart, - all other operations, including changing CAfile and CRLfile (they are outside of the chroot jail, so they're not accessible to a running stunnel daemon) and removing a file (they're cached for better performance), require restarting stunnel.
BTW: Removing a certificate should *not* be used to revoke it. CRLs should be used to revoke certificates!
Best regards, Mike
-
Heiko Nardmann -
Michal Trojnara