Hi there
Is stunnel capable of re-reading updated CRLs on the fly? Without needing to be restarted?
I have tried both CRLfile and CRLpath (with the hashes) with no luck. It appear stunnel only reads them on startup and never refers to them again? There also seems to be no option to send a HUP or the like to force a re-read - only a full restart will make stunnel re-read the CRLs. i.e. our system works after a fresh restart until the original CRL expires, and then stunnel starts rejecting new connections with "Found CRL is expired - revoking all certificates until you get updated CRL" - even though there have been several CRL file (and hash) updates in between. Restarting stunnel makes it start working again.
I've googled around and see several other people have asked similar questions over the years, and there are references by Michal Trojnara that it should work?
This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No chroot jail
Thanks!
Hi there
I got no reply to this. Isn't anyone else using CRLs?
Jason
Jason Haar wrote:
Hi there
Is stunnel capable of re-reading updated CRLs on the fly? Without needing to be restarted?
I have tried both CRLfile and CRLpath (with the hashes) with no luck. It appear stunnel only reads them on startup and never refers to them again? There also seems to be no option to send a HUP or the like to force a re-read - only a full restart will make stunnel re-read the CRLs. i.e. our system works after a fresh restart until the original CRL expires, and then stunnel starts rejecting new connections with "Found CRL is expired - revoking all certificates until you get updated CRL" - even though there have been several CRL file (and hash) updates in between. Restarting stunnel makes it start working again.
I've googled around and see several other people have asked similar questions over the years, and there are references by Michal Trojnara that it should work?
This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No chroot jail
Thanks!
I have also been bitten by this problem. I didn't try much though. I just wrote some scripts to automatically restart the stunnel when CRL is updated. It might not be feasible for your case though.
On Wed, Nov 19, 2008 at 6:13 AM, Jason Haar Jason.Haar@trimble.co.nzwrote:
Hi there
I got no reply to this. Isn't anyone else using CRLs?
Jason
Jason Haar wrote:
Hi there
Is stunnel capable of re-reading updated CRLs on the fly? Without needing to be restarted?
I have tried both CRLfile and CRLpath (with the hashes) with no luck. It appear stunnel only reads them on startup and never refers to them again? There also seems to be no option to send a HUP or the like to force a re-read - only a full restart will make stunnel re-read the CRLs. i.e. our system works after a fresh restart until the original CRL expires, and then stunnel starts rejecting new connections with "Found CRL is expired - revoking all certificates until you get updated CRL" - even though there have been several CRL file (and hash) updates in between. Restarting stunnel makes it start working again.
I've googled around and see several other people have asked similar questions over the years, and there are references by Michal Trojnara that it should work?
This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No chroot jail
Thanks!
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Wed, 2008-11-19 11:07:25 +0530, Sandeep Kumar wrote:
I have also been bitten by this problem. I didn't try much though. I just wrote some scripts to automatically restart the stunnel when CRL is updated.
Do you manage to restart stunnel without breaking existing connections?
Lately, I was looking for a signal which makes stunnel close the listen()ing sockets only. A new stunnel instance could bind() to the same local addresses then. However, I didn't find any. All signals a handler is installed for seems to make stunnel exit() only.
A 'soft restart' seems to be a missing feature in stunnel.
Ludolf
On Wed, Nov 19, 2008 at 2:40 PM, Ludolf Holzheid < lholzheid@bihl-wiedemann.de> wrote:
On Wed, 2008-11-19 11:07:25 +0530, Sandeep Kumar wrote:
I have also been bitten by this problem. I didn't try much though. I just wrote some scripts to automatically restart the stunnel when CRL is
updated.
Do you manage to restart stunnel without breaking existing connections?
No. I agree a soft restart or a config reload would be great.
Lately, I was looking for a signal which makes stunnel close the listen()ing sockets only. A new stunnel instance could bind() to the same local addresses then. However, I didn't find any. All signals a handler is installed for seems to make stunnel exit() only.
A 'soft restart' seems to be a missing feature in stunnel.
Ludolf
--
Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany
Ludolf Holzheid lholzheid@bihl-wiedemann.de wrote:
A 'soft restart' seems to be a missing feature in stunnel.
I agree. Graceful configuration reload is high on my TODO list: http://stunnel.mirt.net/?page=todo_sdf
Best regards, Mike
-
Jason Haar -
Ludolf Holzheid -
Michal Trojnara -
Sandeep Kumar