[stunnel-users] Client Authentication and CRL Verification
Jean-Philippe Constant
jean.philippe.constant at gmail.com
Tue Oct 16 14:36:25 CEST 2012
Hi,
I am using stunnel in server mode with mutual authentication. The PKI used
to authenticate my client is the following : root CA -> Intermediate CA ->
Client.
My stunnel configuration is :
CAfile = RootCA.pem
CRLfile = IntermediateCACRL.pem
verify = 2
RootCA.pem contains the Root CA certificate
IntermediateCACRL.pem contains the CRL file of the Intermediate CA
The client authentication with client certificate goes well. The problem
occurs when a client certificate is revoked. After the Intermediate CA CRL
updates, the client certificate is still accepted whereas it should be
refused.
With the following configuration the revoked certificate is refused :
CAfile = IntermediateCA.pem
CRLfile = IntermediateCACRL.pem
verify = 2
but I would prefer using the first configuration.
Everything happens like if stunnel checks the crl only for the CA
certificate and not for the whole certification chain.
Thank you for your answers,
Jean-Philippe Constant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121016/df76ae04/attachment.html>
More information about the stunnel-users
mailing list