[stunnel-users] Client certificates still valid after removal with verify = 3

Michael Brown michaelb at opentext.com
Mon Oct 18 21:01:04 CEST 2004


I'm having a problem with my stunnel 4.05 setup:

We are using a setup where each client that connects has to have a valid
certificate present on the filesystem (verify = 3). After the client
connects once, it seems that the certificate is cached by either the SSL
libraries or stunnel:

stunnel.conf:
<<<
cert = /etc/stunnel/servercert.pem
CAfile = /usr/share/ssl/CA/cacert.pem
CApath = /etc/stunnel/clientdb
verify = 3

[https]
accept = 443
connect = remote.server.name:443
local = 192.168.0.6
>>>

Some output:
Oct 15 19:36:34 machine stunnel[14139]: VERIFY OK: depth=1, /C=CA/ST=Ontario/L=Here/O=Us/OU=Bigwigs/CN=CA Cert/emailAddress=certainly at here.com
Oct 15 19:36:34 fruitfly stunnel[14139]: VERIFY OK: depth=0, /C=CA/ST=Ontario/O=Us/OU=slackers anonymous/CN=Daniel Unceman/emailAddress=dunce at here.com

... and the same thing after I remove the hash link in /etc/stunnel/clientdb.

But only after I restart does it to the right thing:
Oct 15 19:40:24 fruitfly stunnel[15247]: VERIFY OK: depth=1, /C=CA/ST=Ontario/L=Here/O=Us/OU=Bigwigs/CN=CA Cert/emailAddress=certainly at here.com
Oct 15 19:40:24 fruitfly stunnel[15247]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=Ontario/O=Us/OU=slackers anonymous/CN=Daniel Unceman/emailAddress=dunce at here.com

Help! We don't want to have to restart stunnel every time we remove a
user.

Thanks,

Michael Brown

-- 
Michael Brown  {0x527670C0} | `One of the main causes of the fall of
Systems Administrator       | the Roman Empire was that, lacking zero,
+1 519 888 7111 x2339       | they had no way to indicate successful
michaelb at opentext.com       | termination of their C programs.' - Firth



More information about the stunnel-users mailing list