[stunnel-users] CRL checking

Thu Mar 3 12:11:36 CET 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02.03.2016 19:05, Fritz Gschwendner wrote:
> My questions:
> 
> Is this intended behaviour? I find it logical to check the CRL of
> a client certificate, if there is one in the CRLfile, if there
> isn't, to not check.

Yes, this is the intended behaviour.  For many years stunnel used its
own (quite ugly) CRL checking code, which ignored missing CRLs.  Since
stunnel 5.24 I switched to the more strict built-in OpenSSL CRL
verification.  The new functionality, if enabled, requires a valid CRL
for a CA before a certificate signed by this CA can be accepted.  The
underlying concept is called "fail-secure" or "fail-closed".

> Does a CRL distribution point configured in a client certificate
> play any role?

If by the "CRL distribution point" you mean Indirect CRL (as defined
in RFC 3280, section 5), then they are currently ignored by stunnel.
The support is on my TODO list:  https://www.stunnel.org/sdf_todo.html

Best regards,
	Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW2BvoAAoJEC78f/DUFuAUf4IQAJLI3v02fseRwDiDbC9HSqQA
ERZ7YMu6L5v42TS1BtXdaqwRKOv8zK9rX+7UdVX9AybD1YdbtwdnuHtElW0rbDmu
FhnqykEUhw5n7kP/xeE7rDnQJ4LCOvRw5Ca3JkFYI47jOLKqlvwI2D8WlR+MHwJp
xXd7P4b3ePbvufI2eIwrJJ9DZIzx4bsRLIJtOFF4PZMRV5z/dWcvbiZ1zZU3EEb0
AkWbUTAij66aivEDl57D6ZtNFF9fK4o5EXJNo45iZXZ9xjm4QldceGe6LmECWU4d
BaQzxHuXZNlNhIBPXHJLfU/pM12YQDdgbnuqOYLNlHMOqdbb7M6Whwepgc5H8MN/
xlpViWi3mMLKB1Mtw6pV6xWWNR0F6Mr2tfkvUjHR+ql6ymB6JAPe6FuyOsS1g+ZP
OpCR17GeDwiTGOQYZ4ECFy5waNeAX9wcgPARtfvIW6FtHXWddhRWyibnxOKjIATp
qpIN8ajsNSUv/z2iMbAVtJ8npa3IG+ZXjufBeCvmJi3ZOKm6srRapg7oE0+zu/3x
/py/glXlLEB9sd6PQWGqfvhT70OZDS5qvVcjOcuLDPqLEJN0BfE42xRhultTIbdL
4Bc/jjs5b1xDZ4kirwXYydbZlA8vhjghpze2W9FVHYhNhPR9Ov9XbjWwqCZwJJcI
cQ2vf92XCdL9Ep7agT7y
=P2Xf
-----END PGP SIGNATURE-----