Hello,

I noticed a change in functionality of CRL checking in server mode somewhere between stunnel version 5.2.00 and 5.31.00.

We have multiple services listening for incoming connections and a global option CRLfile = crls.pem, with crls.pem containing a few CRLs but not one for every possible client certificate, and client certificates not all having a CRL distribution point configured.

This worked with the old version in the sense that all clients could connect. I don't know If CRL checking really worked, they are all empty and I can't test.

With the new version client certificates with no CRL and no CRL distribution point configured got rejected with errors "CERT: Pre-verification error: unable to get certificate CRL" and "SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed"

If I remove the global entry for CRLfile with the new version, all clients can connect again. I guess I could enter the CRLfile option on service level, but it could be that some client certificates connecting to a specific service have a CRL and some don't.

My questions:

Is this intended behaviour? I find it logical to check the CRL of a client certificate, if there is one in the CRLfile, if there isn't, to not check.

Does a CRL distribution point configured in a client certificate play any role?