[stunnel-users] must restart stunnel to add a new cert before it recognized it...

Rami Michael thikrat at gmail.com
Wed Nov 22 00:02:05 CET 2006


hello mike,

#1. I added a crlpath in my stunnel.conf and it was picked up on the next
start of stunnel as i can see from this log output

2006.11.21 17:49:46 LOG7[18581:3086255808]: Certificate:
/etc/stunnel/stunnel.pem
2006.11.21 17:49:46 LOG7[18581:3086255808]: Key file:
/etc/stunnel/stunnel.pem
2006.11.21 17:49:46 LOG7[18581:3086255808]: Verify directory set to
/etc/stunnel/certificates
2006.11.21 17:49:46 LOG7[18581:3086255808]: CRL directory set to
/etc/stunnel/certificates-revoke

#2. i did not have any certs in my capath or crlpath

#3. When i tried to connect from a remote machine, it was denied because it
was a self signed cert, as it should.

#4. So then i copied the correctly name *.0 cert file to my CApath and tried
connecting again from a remote box
This time it connected just fine, as it should

#5 then i moved the cert from the capath to the crlpath
When i tried to connect from the remote sensor, it was still able to connect
and was able to connect until i restarted stunnel on the local server.

#6. After restarting stunnel on the local server i was not able to connect
from the remote client, but i was given the same error as I was on step #3,
its not as if the cert was rejected, it just said "bad certificate, self
signed cert"

On 11/15/06, Michal Trojnara <Michal.Trojnara at mobi-com.net> wrote:
>
> On Wednesday 15 November 2006 06:19, Rami Michael wrote:
> > Thanks for the help guys... but its still acting a little weird
> [cut]
> > However, i tried  removing the cert from the CApath directory on the
> sensor
> > side and it seems as though stunnel caches that cert it had read in
> until
> > its restarted.
>
> Stunnel is acting perfectly fine.
>
> Deleting certificates is just not the correct way to revoke them.
>
> http://stunnel.mirt.net/pipermail/stunnel-users/2004-October/000101.html
> http://stunnel.mirt.net/pipermail/stunnel-users/2005-January/000290.html
>
> Best regards,
>     Mike
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061121/f3ccf18a/attachment.html>


More information about the stunnel-users mailing list