[stunnel-users] CRLPath not working

• Previous message (by thread): [stunnel-users] CRLPath not working
• Next message (by thread): [stunnel-users] CRLPath not working
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike:

Here are the configuration and the log files as you requested....

---------------------------------------------BEGIN CONFIG
---------------------------------
# switch-simulator stunnel configuration file
# Copyright by Michal Trojnara 2002
 
# Certs and keys
cert = /etc/certs/demoedge2-cert.pem
key = /etc/keys/demoedge2-key.pem
 
# PID is created inside chroot jail
pid = /var/opt/stunnel/stunnel_server.pid
 
# Authentication stuff
verify = 2
options = NO_SSLv2
 
# don't forget about c_rehash CApath
# it is located inside chroot jail:
 
CApath = /etc/CApath
 
# CRL path or file (inside chroot jail):
CRLpath = /etc/crl
 
 
# Some debugging stuff

debug = local4.5
output = /var/opt/log/pras_test_server.log
 
# Use it for client mode
#client = no
 
# Service-level configuration
 
[APF]
accept  = 10.172.86.128:51101
connect = 127.0.0.1:50111

----------------------------------------------END CONFIG
----------------------------------
--------------------------------------------- BEGIN LOG FILE
-------------------------------


2006.06.11 19:27:25 LOG5[8839:7]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225
2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=2,
/C=US/O=VISA/OU=Visa International Service Association/CN=TEST Visa Info
Delivery Root CA
2006.06.12 17:41:52 LOG5[8839:8]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, , lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371
2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=2, <VISA CA>
2006.06.12 23:01:08 LOG5[8839:9]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket

------------------------------------------- END LOG FILE
--------------------------------------
On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote:
> We download crls everyday from a CRL server using LDAP and a cronjob.
> These CRLs are stored in the CRLpath directory along with its hash.
> It appears that the stunnel is not refreshing its cache, and it
> still shows "Found CRL is expired - revoking all certificates until
> you get updated CRL" when we try to connect to it even though there is

> a
> New and valid CRL in the CRLPath folder. Is there a special option
> In Stunnel configuration for it to recognize/cache/add the new hash 
> file

Just to make sure: the problem disappears after restarting stunnel, 
right?

The simple workaround could be disabling all SSL caches:
./configure --with-threads=fork
make clean
make
make install

Can you send your stunnel.conf and debug log?

TIA,
     Mike


Sekhar Nagasundaram
 <<Nagasundaram, Sekhar.vcf>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20060612/0a7e2ffa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nagasundaram, Sekhar.vcf
Type: text/x-vcard
Size: 444 bytes
Desc: Nagasundaram, Sekhar.vcf
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20060612/0a7e2ffa/attachment.vcf>

• Previous message (by thread): [stunnel-users] CRLPath not working
• Next message (by thread): [stunnel-users] CRLPath not working
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]