CRLPath not working - stunnel-users

13 Jun 2006


      Mike:
Here are the configuration and the log files as you requested....
---------------------------------------------BEGIN CONFIG
---------------------------------
# switch-simulator stunnel configuration file
# Copyright by Michal Trojnara 2002
# Certs and keys
cert = /etc/certs/demoedge2-cert.pem
key = /etc/keys/demoedge2-key.pem
# PID is created inside chroot jail
pid = /var/opt/stunnel/stunnel_server.pid
# Authentication stuff
verify = 2
options = NO_SSLv2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
CApath = /etc/CApath
# CRL path or file (inside chroot jail):
CRLpath = /etc/crl
# Some debugging stuff
debug = local4.5
output = /var/opt/log/pras_test_server.log
# Use it for client mode
#client = no
# Service-level configuration
[APF]
accept  = 10.172.86.128:51101
connect = 127.0.0.1:50111
----------------------------------------------END CONFIG
----------------------------------
--------------------------------------------- BEGIN LOG FILE
-------------------------------
2006.06.11 19:27:25 LOG5[8839:7]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225
2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=2,
/C=US/O=VISA/OU=Visa International Service Association/CN=TEST Visa Info
Delivery Root CA
2006.06.12 17:41:52 LOG5[8839:8]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, , lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371
2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=2, <VISA CA>
2006.06.12 23:01:08 LOG5[8839:9]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
------------------------------------------- END LOG FILE
--------------------------------------
On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote:
...
We download crls everyday from a CRL server using LDAP and a cronjob.
These CRLs are stored in the CRLpath directory along with its hash.
It appears that the stunnel is not refreshing its cache, and it
still shows "Found CRL is expired - revoking all certificates until
you get updated CRL" when we try to connect to it even though there is
...
a
New and valid CRL in the CRLPath folder. Is there a special option
In Stunnel configuration for it to recognize/cache/add the new hash 
file
Just to make sure: the problem disappears after restarting stunnel, 
right?
The simple workaround could be disabling all SSL caches:
./configure --with-threads=fork
make clean
make
make install
Can you send your stunnel.conf and debug log?
TIA,
     Mike
Sekhar Nagasundaram
 <<Nagasundaram, Sekhar.vcf>>