[stunnel-users] auto-disconnecting people when CRL updated
Michal Trojnara
Michal.Trojnara at mirt.net
Fri Mar 26 23:55:25 CET 2010
David van Zijl wrote:
> Is it possible to get stunnel to disconnect people on a graceful restart
> when a certificate has expired?
Breaking invalid sessions is more complex than people might think.
Validating sessions would also involve performing OCSP request, checking
whether the local certificate was revoked by remote site, etc.
I think the only reasonable way to implement it would be to execute
SSL_renegotiate() for each SSL structure, so it renegotiates encryption on
next data transfer. stunnel does not even keep a list of all SSL structures,
now. Would you like to sponsor this feature?
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100326/4e80e50f/attachment.sig>
More information about the stunnel-users
mailing list