Hello, I noticed a change in functionality of CRL checking in server mode somewhere between stunnel version 5.2.00 and 5.31.00. We have multiple services listening for incoming connections and a global option CRLfile = crls.pem, with crls.pem containing a few CRLs but not one for every possible client certificate, and client certificates not all having a CRL distribution point configured. This worked with the old version in the sense that all clients could connect. I don't know If CRL checking really worked, they are all empty and I can't test. With the new version client certificates with no CRL and no CRL distribution point configured got rejected with errors "CERT: Pre-verification error: unable to get certificate CRL" and "SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed" If I remove the global entry for CRLfile with the new version, all clients can connect again. I guess I could enter the CRLfile option on service level, but it could be that some client certificates connecting to a specific service have a CRL and some don't. My questions: Is this intended behaviour? I find it logical to check the CRL of a client certificate, if there is one in the CRLfile, if there isn't, to not check. Does a CRL distribution point configured in a client certificate play any role?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02.03.2016 19:05, Fritz Gschwendner wrote:
My questions:
Is this intended behaviour? I find it logical to check the CRL of a client certificate, if there is one in the CRLfile, if there isn't, to not check.
Yes, this is the intended behaviour. For many years stunnel used its own (quite ugly) CRL checking code, which ignored missing CRLs. Since stunnel 5.24 I switched to the more strict built-in OpenSSL CRL verification. The new functionality, if enabled, requires a valid CRL for a CA before a certificate signed by this CA can be accepted. The underlying concept is called "fail-secure" or "fail-closed".
Does a CRL distribution point configured in a client certificate play any role?
If by the "CRL distribution point" you mean Indirect CRL (as defined in RFC 3280, section 5), then they are currently ignored by stunnel. The support is on my TODO list: https://www.stunnel.org/sdf_todo.html Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJW2BvoAAoJEC78f/DUFuAUf4IQAJLI3v02fseRwDiDbC9HSqQA ERZ7YMu6L5v42TS1BtXdaqwRKOv8zK9rX+7UdVX9AybD1YdbtwdnuHtElW0rbDmu FhnqykEUhw5n7kP/xeE7rDnQJ4LCOvRw5Ca3JkFYI47jOLKqlvwI2D8WlR+MHwJp xXd7P4b3ePbvufI2eIwrJJ9DZIzx4bsRLIJtOFF4PZMRV5z/dWcvbiZ1zZU3EEb0 AkWbUTAij66aivEDl57D6ZtNFF9fK4o5EXJNo45iZXZ9xjm4QldceGe6LmECWU4d BaQzxHuXZNlNhIBPXHJLfU/pM12YQDdgbnuqOYLNlHMOqdbb7M6Whwepgc5H8MN/ xlpViWi3mMLKB1Mtw6pV6xWWNR0F6Mr2tfkvUjHR+ql6ymB6JAPe6FuyOsS1g+ZP OpCR17GeDwiTGOQYZ4ECFy5waNeAX9wcgPARtfvIW6FtHXWddhRWyibnxOKjIATp qpIN8ajsNSUv/z2iMbAVtJ8npa3IG+ZXjufBeCvmJi3ZOKm6srRapg7oE0+zu/3x /py/glXlLEB9sd6PQWGqfvhT70OZDS5qvVcjOcuLDPqLEJN0BfE42xRhultTIbdL 4Bc/jjs5b1xDZ4kirwXYydbZlA8vhjghpze2W9FVHYhNhPR9Ov9XbjWwqCZwJJcI cQ2vf92XCdL9Ep7agT7y =P2Xf -----END PGP SIGNATURE-----
participants (2)
-
Fritz Gschwendner -
Michal Trojnara