[stunnel-users] auto-disconnecting people when CRL updated

Michal Trojnara Michal.Trojnara at mirt.net
Fri Mar 26 23:55:25 CET 2010


David van Zijl wrote:
> Is it possible to get stunnel to disconnect people on a graceful restart
> when a certificate has expired?

Breaking invalid sessions is more complex than people might think.
Validating sessions would also involve performing OCSP request, checking 
whether the local certificate was revoked by remote site, etc.

I think the only reasonable way to implement it would be to execute 
SSL_renegotiate() for each SSL structure, so it renegotiates encryption on 
next data transfer.  stunnel does not even keep a list of all SSL structures, 
now.  Would you like to sponsor this feature?

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100326/4e80e50f/attachment.sig>


More information about the stunnel-users mailing list