I'm having a problem with my stunnel 4.05 setup:
We are using a setup where each client that connects has to have a valid certificate present on the filesystem (verify = 3). After the client connects once, it seems that the certificate is cached by either the SSL libraries or stunnel:
stunnel.conf: <<< cert = /etc/stunnel/servercert.pem CAfile = /usr/share/ssl/CA/cacert.pem CApath = /etc/stunnel/clientdb verify = 3
[https] accept = 443 connect = remote.server.name:443 local = 192.168.0.6
Some output: Oct 15 19:36:34 machine stunnel[14139]: VERIFY OK: depth=1, /C=CA/ST=Ontario/L=Here/O=Us/OU=Bigwigs/CN=CA Cert/emailAddress=certainly@here.com Oct 15 19:36:34 fruitfly stunnel[14139]: VERIFY OK: depth=0, /C=CA/ST=Ontario/O=Us/OU=slackers anonymous/CN=Daniel Unceman/emailAddress=dunce@here.com
... and the same thing after I remove the hash link in /etc/stunnel/clientdb.
But only after I restart does it to the right thing: Oct 15 19:40:24 fruitfly stunnel[15247]: VERIFY OK: depth=1, /C=CA/ST=Ontario/L=Here/O=Us/OU=Bigwigs/CN=CA Cert/emailAddress=certainly@here.com Oct 15 19:40:24 fruitfly stunnel[15247]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=Ontario/O=Us/OU=slackers anonymous/CN=Daniel Unceman/emailAddress=dunce@here.com
Help! We don't want to have to restart stunnel every time we remove a user.
Thanks,
Michael Brown
On Oct 18, 2004, at 9:01 PM, Michael Brown wrote:
Help! We don't want to have to restart stunnel every time we remove a user.
It's perfectly okay. You should add a CRL to CRLpath instead of removing a certificate from CApath.
Best regards, Mike
-
Michael Brown -
Michal Trojnara