Hello
Is it possible to get stunnel to disconnect people on a graceful restart when a certificate has expired? Stunnel version 4.30 added the graceful reload option which is great because it will allow us to reload the CRLs, keep everybody connected and prevent new people connecting when their certs have expired (tested and working) - however existing connections are not terminated even though they have just expired... I'm not sure if we've missed a configuration option or if this is just not possible.
A little background: We host an IRC server listening on localhost:6667, on top of that we have stunnel listening on the external interface port 6697 We're using the CAfile and CRLpath options to ensure that people are connecting with a valid certificate. Every hour a job runs to download the latest CRL files, if there is a change it restarts stunnel and kicks everybody off (we'd like to use a graceful restart instead)
We are running stunnel on Red Hat Linux using the following line inside an init script to run it as a daemon: daemon /usr/local/bin/stunnel /etc/stunnel/stunnel.conf
Excerpt from stunnel.conf: setuid = daemon setgid = daemon ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[irc-in] CAfile = /etc/ca/our-chains.pem CRLpath = /etc/crl accept = 192.168.0.1:6697setuid = daemon setgid = daemon
connect = localhost:6667 verify = 2
Running stunnel -version tells me: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
Kind Regards Dave
David van Zijl wrote:
Is it possible to get stunnel to disconnect people on a graceful restart when a certificate has expired?
Breaking invalid sessions is more complex than people might think. Validating sessions would also involve performing OCSP request, checking whether the local certificate was revoked by remote site, etc.
I think the only reasonable way to implement it would be to execute SSL_renegotiate() for each SSL structure, so it renegotiates encryption on next data transfer. stunnel does not even keep a list of all SSL structures, now. Would you like to sponsor this feature?
Mike