-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi together!
Two questions:
1) does stunnel read the cert files/directories only once at startup or every time it has to check a certificate?
2) does stunnel support CRLs? e.g. getting the CRL via LDAP?
- -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50
On 2004-11-30, at 15:21, Heiko Nardmann wrote:
- does stunnel read the cert files/directories only once at startup
or every time it has to check a certificate?
Stunnel reads certificates from a *file* at startup. It reads certificates from *directory* only the *first* time they're needed.
Ergo: there's no alternative to CRLs. 8-)
- does stunnel support CRLs? e.g. getting the CRL via LDAP?
Stunnel does support CRLs since version 4.05. CRLs can be provided in a file or in a directory (just like certificates).
Best regards, Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Okay, quite supid to answer own questions but since it is only partly ...
On Dienstag 30 November 2004 15:21, Heiko Nardmann wrote:
Hi together!
Two questions:
- does stunnel read the cert files/directories only once at startup or
every time it has to check a certificate?
As far as I see in the source code a call to SSL_CTX_load_verify_locations(3) is done which stores the information about CApath (from the configuration file) inside SSL context.
- does stunnel support CRLs? e.g. getting the CRL via LDAP?
As seen from the man page CRLs are supported but not getting them via LDAP. So getting a CRL via LDAP is a task for a cron job (with ldapsearch inside) done daily.
- -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50
-
Heiko Nardmann -
Michal Trojnara