Q: stunnel checking of certs?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi together! Two questions: 1) does stunnel read the cert files/directories only once at startup or every time it has to check a certificate? 2) does stunnel support CRLs? e.g. getting the CRL via LDAP? - -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBrIIEpm53PRScYygRAtQ6AKC9JSTTK7mAL+51JSWkTI5U52HtJQCeMvCR gEiUxqi43/pFMD/3dR6hVeE= =MFLP -----END PGP SIGNATURE-----
On 2004-11-30, at 15:21, Heiko Nardmann wrote:
1) does stunnel read the cert files/directories only once at startup or every time it has to check a certificate?
Stunnel reads certificates from a *file* at startup. It reads certificates from *directory* only the *first* time they're needed. Ergo: there's no alternative to CRLs. 8-)
2) does stunnel support CRLs? e.g. getting the CRL via LDAP?
Stunnel does support CRLs since version 4.05. CRLs can be provided in a file or in a directory (just like certificates). Best regards, Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Okay, quite supid to answer own questions but since it is only partly ... On Dienstag 30 November 2004 15:21, Heiko Nardmann wrote:
Hi together!
Two questions:
1) does stunnel read the cert files/directories only once at startup or every time it has to check a certificate?
As far as I see in the source code a call to SSL_CTX_load_verify_locations(3) is done which stores the information about CApath (from the configuration file) inside SSL context.
2) does stunnel support CRLs? e.g. getting the CRL via LDAP?
As seen from the man page CRLs are supported but not getting them via LDAP. So getting a CRL via LDAP is a task for a cron job (with ldapsearch inside) done daily. - -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBrs0Ipm53PRScYygRAgumAJ9sJm2B58+sAWDzKLGeU3pkqvv4HACeLIgD K+FFti53m+jj7TPBxjEj4ys= =+Rn5 -----END PGP SIGNATURE-----
participants (2)
-
Heiko Nardmann -
Michal Trojnara