[stunnel-users] Q: need of restart after CRL/CA directory contents change?

Michal Trojnara Michal.Trojnara at mirt.net
Mon Jan 31 21:24:35 CET 2005


On 2005-01-31, at 15:24, Heiko Nardmann wrote:
> Since I want to write CRL files from all relevant CAs based on a 
> regular
> (daily) basis I wonder whether it is necessary to restart stunnel if 
> the
> contents of the CRL or CA directory changes.
>
> The regular part is going to be handled by a cronjob which does an 
> LDAP search
> which results in the CA certificate and crl files.
>
> How does stunnel work in this situation? Do I need a restart after a 
> cron run
> or not?

The rule is simple and effective:
  - stunnel (as well as OpenSSL library) handles *adding* a (hashed) 
file to the CApath and/or CRLpath without restart,
  - all other operations, including changing CAfile and CRLfile (they 
are outside of the chroot jail, so they're not accessible to a running 
stunnel daemon) and removing a file (they're cached for better 
performance), require restarting stunnel.

BTW: Removing a certificate should *not* be used to revoke it.  CRLs 
should be used to revoke certificates!

Best regards,
     Mike




More information about the stunnel-users mailing list