[stunnel-users] Client certificates still valid after removal with verify = 3
Michael Brown
michaelb at opentext.com
Mon Oct 18 21:01:04 CEST 2004
I'm having a problem with my stunnel 4.05 setup:
We are using a setup where each client that connects has to have a valid
certificate present on the filesystem (verify = 3). After the client
connects once, it seems that the certificate is cached by either the SSL
libraries or stunnel:
stunnel.conf:
<<<
cert = /etc/stunnel/servercert.pem
CAfile = /usr/share/ssl/CA/cacert.pem
CApath = /etc/stunnel/clientdb
verify = 3
[https]
accept = 443
connect = remote.server.name:443
local = 192.168.0.6
>>>
Some output:
Oct 15 19:36:34 machine stunnel[14139]: VERIFY OK: depth=1, /C=CA/ST=Ontario/L=Here/O=Us/OU=Bigwigs/CN=CA Cert/emailAddress=certainly at here.com
Oct 15 19:36:34 fruitfly stunnel[14139]: VERIFY OK: depth=0, /C=CA/ST=Ontario/O=Us/OU=slackers anonymous/CN=Daniel Unceman/emailAddress=dunce at here.com
... and the same thing after I remove the hash link in /etc/stunnel/clientdb.
But only after I restart does it to the right thing:
Oct 15 19:40:24 fruitfly stunnel[15247]: VERIFY OK: depth=1, /C=CA/ST=Ontario/L=Here/O=Us/OU=Bigwigs/CN=CA Cert/emailAddress=certainly at here.com
Oct 15 19:40:24 fruitfly stunnel[15247]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=Ontario/O=Us/OU=slackers anonymous/CN=Daniel Unceman/emailAddress=dunce at here.com
Help! We don't want to have to restart stunnel every time we remove a
user.
Thanks,
Michael Brown
--
Michael Brown {0x527670C0} | `One of the main causes of the fall of
Systems Administrator | the Roman Empire was that, lacking zero,
+1 519 888 7111 x2339 | they had no way to indicate successful
michaelb at opentext.com | termination of their C programs.' - Firth
More information about the stunnel-users
mailing list