Hi everyone,
Sorry for the repost, but in the web mailing list, my previous message appears weird, so I thought I could re-post it.
I'm using stunnel v4.16 on a Windows 2003 Server, and I'm working with stunnel in verify=3 mode. I wanted to know if the stunnel needs to be restarted after a certificates has been removed ? If not, how long is the certificate considered valid after the file has been removed ?
Regards,
Edouard DESSIOUX Directeur de Projets
Tibco Mobile 3, rue Danton - 92240 Malakoff Tél : +33 (0)1 55 58 04 59 - Fax : +33 (0)1 55 58 03 89 - Mob. +33 (0)6 34 02 61 54 E-mail : edessioux@tibco.fr - www.tibcomobile.fr
Faites un geste pour la planète, n'imprimez ce message que si nécessaire.
Edouard Dessioux wrote:
I wanted to know if the stunnel needs to be restarted after a certificates has been removed ?
This is *not* the way X.509 was designed to perform certificate revocation. Use CRLs or OCSP instead.
Also see: http://stunnel.mirt.net/pipermail/stunnel-users/2004-December/000192.html http://en.wikipedia.org/wiki/Certificate_revocation_list http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
Best regards, Mike
Thanks Michal for the answer. The certificate removal was not meant to act as a revocation, but more as a temporary disablement like for example someone on vacation who should not use the corporate network or such.
I saw the reference you indicated : http://stunnel.mirt.net/pipermail/stunnel-users/2004-December/000192.html And with this, I understand that this is not possible because the certificate once loaded is kept in memory.
I got my answer, thanks.
Edouard DESSIOUX Directeur de Projets Tibco Mobile 3, rue Danton - 92240 Malakoff Tél : +33 (0)1 55 58 04 59 - Fax : +33 (0)1 55 58 03 89 - Mob. +33 (0)6 34 02 61 54 E-mail : edessioux@tibco.fr - www.tibcomobile.fr Faites un geste pour la planète, n'imprimez ce message que si nécessaire. -----Message d'origine----- De : stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] De la part de Michal Trojnara Envoyé : mardi 29 avril 2008 12:12 À : stunnel-users@mirt.net Objet : Re: [stunnel-users] Verify=3 restart needed ?
Edouard Dessioux wrote:
I wanted to know if the stunnel needs to be restarted after a certificates has been removed ?
This is *not* the way X.509 was designed to perform certificate revocation. Use CRLs or OCSP instead.
Also see: http://stunnel.mirt.net/pipermail/stunnel-users/2004-December/000192.html http://en.wikipedia.org/wiki/Certificate_revocation_list http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
Best regards, Mike
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Good Morning Mike:
I had a question and sent to the list (it might have not gone thru) The question was that: is it possible for stunnel to go to the router, for example, 10.10.1.1, to scan for a port of interest and see whether there is a request thru that port? so the nat router would not have to forward the port to the stunnel of my local machine, e.g. 10.10.1.188, on which stunnel is listening for port 8888 and will relay it to 5631 of the local program.
Thanks
J ----- Original Message ---------------
Return-Path: stunnel-users-bounces@mirt.net Received: from linode.mirt.net ([64.22.71.125]) by ellingtongeologic.com for jz@ellingtongeologic.com; Tue, 29 Apr 2008 03:13:13 -0700 Received: from linode.mirt.net (localhost [127.0.0.1]) by linode.mirt.net (Postfix) with ESMTP id 46BBD1D28A; Tue, 29 Apr 2008 12:12:15 +0200 (CEST) Received: from linode.mirt.net (localhost [127.0.0.1]) by linode.mirt.net (Postfix) with ESMTP id 168F81D28E; Tue, 29 Apr 2008 12:12:09 +0200 (CEST) X-Original-To: stunnel-users@mirt.net Delivered-To: stunnel-users@mirt.net Received: from linode.mirt.net (localhost [127.0.0.1]) by linode.mirt.net (Postfix) with ESMTP id 01A0D1D26F for stunnel-users@mirt.net; Tue, 29 Apr 2008 12:12:01 +0200 (CEST) Received: from mike.mirt.net (localhost [127.0.0.1]) by linode.mirt.net (Postfix) with ESMTP id BE3F81C0F1 for stunnel-users@mirt.net; Tue, 29 Apr 2008 12:12:00 +0200 (CEST) Received: from 194.203.201.98 (SquirrelMail authenticated user mtrojnar) by mike.mirt.net with HTTP; Tue, 29 Apr 2008 12:12:00 +0200 (CEST) Message-ID: 56899.194.203.201.98.1209463920.squirrel@mike.mirt.net In-Reply-To: 76A8C8ED7C969549B61EA52B0D93103003C81670@srv-bcexch01.tibco.fr References: 76A8C8ED7C969549B61EA52B0D93103003C81670@srv-bcexch01.tibco.fr Date: Tue, 29 Apr 2008 12:12:00 +0200 (CEST) From: "Michal Trojnara" Michal.Trojnara@mobi-com.net To: stunnel-users@mirt.net User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: [stunnel-users] Verify=3 restart needed ? X-BeenThere: stunnel-users@mirt.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "public, moderate-volume list - general discussion, problem reports, patches" <stunnel-users.mirt.net> List-Unsubscribe: http://stunnel.mirt.net/mailman/listinfo/stunnel-users, mailto:stunnel-users-request@mirt.net?subject=unsubscribe List-Archive: http://stunnel.mirt.net/pipermail/stunnel-users List-Post: mailto:stunnel-users@mirt.net List-Help: mailto:stunnel-users-request@mirt.net?subject=help List-Subscribe: http://stunnel.mirt.net/mailman/listinfo/stunnel-users, mailto:stunnel-users-request@mirt.net?subject=subscribe Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: stunnel-users-bounces@mirt.net Errors-To: stunnel-users-bounces@mirt.net X-Virus-Scanned: ClamAV using ClamSMTP
Edouard Dessioux wrote:
I wanted to know if the stunnel needs to be restarted after a certificates has been removed ?
This is *not* the way X.509 was designed to perform certificate revocation. Use CRLs or OCSP instead.
Also see: http://stunnel.mirt.net/pipermail/stunnel-users/2004-December/000192.html http://en.wikipedia.org/wiki/Certificate_revocation_list http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
Best regards, Mike
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Edouard Dessioux -
jz@ellingtongeologic.com -
Michal Trojnara