[stunnel-users] stunnel and expiring CRLs

Sandeep Kumar sandeep.iiit at gmail.com
Wed Nov 19 06:37:25 CET 2008


I have also been bitten by this problem. I didn't try much though. I just
wrote some scripts to automatically restart the stunnel when CRL is updated.
It might not be feasible for your case though.

On Wed, Nov 19, 2008 at 6:13 AM, Jason Haar <Jason.Haar at trimble.co.nz>wrote:

> Hi there
>
> I got no reply to this. Isn't anyone else using CRLs?
>
> Jason
>
> Jason Haar wrote:
> > Hi there
> >
> > Is stunnel capable of re-reading updated CRLs on the fly? Without
> > needing to be restarted?
> >
> > I have tried both CRLfile and CRLpath (with the hashes) with no luck. It
> > appear stunnel only reads them on startup and never refers to them
> > again? There also seems  to be no option to send a HUP or the like to
> > force a re-read - only a full restart will make stunnel re-read the
> > CRLs. i.e. our system works after a fresh restart until the original CRL
> > expires, and then stunnel starts rejecting new connections with "Found
> > CRL is expired - revoking all certificates until you get updated CRL" -
> > even though there have been several CRL file (and hash) updates in
> > between. Restarting stunnel makes it start working again.
> >
> > I've googled around and see several other people have asked similar
> > questions over the years, and there are references by Michal Trojnara
> > that it should work?
> >
> > This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No
> > chroot jail
> >
> > Thanks!
> >
> >
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>



-- 
Sandeep Kumar
http://students.iiit.ac.in/~sandeep_kr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20081119/d9090cf9/attachment.html>


More information about the stunnel-users mailing list