[stunnel-users] Q: need of restart after CRL/CA directory contents change?
Michal Trojnara
Michal.Trojnara at mirt.net
Mon Jan 31 21:24:35 CET 2005
On 2005-01-31, at 15:24, Heiko Nardmann wrote:
> Since I want to write CRL files from all relevant CAs based on a
> regular
> (daily) basis I wonder whether it is necessary to restart stunnel if
> the
> contents of the CRL or CA directory changes.
>
> The regular part is going to be handled by a cronjob which does an
> LDAP search
> which results in the CA certificate and crl files.
>
> How does stunnel work in this situation? Do I need a restart after a
> cron run
> or not?
The rule is simple and effective:
- stunnel (as well as OpenSSL library) handles *adding* a (hashed)
file to the CApath and/or CRLpath without restart,
- all other operations, including changing CAfile and CRLfile (they
are outside of the chroot jail, so they're not accessible to a running
stunnel daemon) and removing a file (they're cached for better
performance), require restarting stunnel.
BTW: Removing a certificate should *not* be used to revoke it. CRLs
should be used to revoke certificates!
Best regards,
Mike
More information about the stunnel-users
mailing list