[stunnel-users] CRL

yyy yyy at yyy.id.lv
Wed Aug 31 11:28:24 CEST 2011


hmm, it works for me. (CAfile and CRLfile vith verify=2). What is the contents of your CRLpath?
It is supposed to contain CRL's.
  ----- Original Message ----- 
  From: Uldis Biks 
  To: stunnel-users at stunnel.org 
  Sent: Wednesday, August 31, 2011 9:09 AM
  Subject: Re: [stunnel-users] CRL


  Sorry, you are right - CAfile/CApath must always be there in order to successfully start stunnel. This is what i tested so far:
  CAfile and verify 2 - all clients can connect
  CApath and verify 3 - only clients with certs in CAfile/CApath can connect
  CAfile and CRLpath with verify 3 - no clients can connect because there is no client certs in CAfile and CRLpath is ignored


  CApath and CRLpath with verify 3 - only clients with certs in CApath can connect, CRLpath is ignored
  CAfile and CRLpath with verify 2 - all clients can connect and CRLpath is ignored


  Citējot yyy <yyy at yyy.id.lv>:
    On 2011.08.30. 15:19, Uldis Biks wrote:
    > Hi,
    >
    > I`m trying to achieve following setup with stunnel - accept only
    > clients with certificates not in Certificate Revocation List
    > (CRLpath), but no luck so far.
    > I`ve created self signed CA, created 3 certs and with following setup
    > i was able to achieve - accept only clients with certificates in
    > CApath or CAfile.
    >
    > cert = /root/stunnel_test/01.pem
    > chroot = /root/stunnel_test/chroot/
    > verify = 3
    > CApath = good_certs/
    > ciphers = 3DES:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES
    > debug = 7
    > output = /root/stunnel_test/stunnel.log
    > client = no
    > pid = /good_certs/stunnel.pid
    > foreground = yes
    > [pop3s]
    > accept = localhost:37171
    > connect = localhost:22
    >
    > but when i change CApath to CRLpath and verify from 3 to 2, i can
    > connect with all certs and client is not disconnected based on
    > revocation list.
    >
    > Can someone help me out? Thanks!
    >
    > stunnel -version
    > stunnel 4.29 on i386-redhat-linux-gnu with OpenSSL 1.0.0-fips 29 Mar 2010
    > Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
    >
    CRLpath does not replace CApath. Verifying certificate requires both.
    I tried to replace CAfile with CRLfile and stunnel refused to start (it
    refuses to start, if there is missing CAfile/CApath)
    How did you manage to start stunnel with CApath missing?
    _______________________________________________
    stunnel-users mailing list
    stunnel-users at stunnel.org
    http://stunnel.mirt.net/mailman/listinfo/stunnel-users






------------------------------------------------------------------------------


  _______________________________________________
  stunnel-users mailing list
  stunnel-users at stunnel.org
  http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110831/ff588fd2/attachment.html>


More information about the stunnel-users mailing list