[stunnel-users] stunnel and expiring CRLs

• Previous message (by thread): [stunnel-users] Connection rejected: too many clients (>=500)?
• Next message (by thread): [stunnel-users] stunnel and expiring CRLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there

I got no reply to this. Isn't anyone else using CRLs?

Jason

Jason Haar wrote:
> Hi there
>
> Is stunnel capable of re-reading updated CRLs on the fly? Without
> needing to be restarted?
>
> I have tried both CRLfile and CRLpath (with the hashes) with no luck. It
> appear stunnel only reads them on startup and never refers to them
> again? There also seems  to be no option to send a HUP or the like to
> force a re-read - only a full restart will make stunnel re-read the
> CRLs. i.e. our system works after a fresh restart until the original CRL
> expires, and then stunnel starts rejecting new connections with "Found
> CRL is expired - revoking all certificates until you get updated CRL" -
> even though there have been several CRL file (and hash) updates in
> between. Restarting stunnel makes it start working again.
>
> I've googled around and see several other people have asked similar
> questions over the years, and there are references by Michal Trojnara
> that it should work?
>
> This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No
> chroot jail
>
> Thanks!
>
>   


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

• Previous message (by thread): [stunnel-users] Connection rejected: too many clients (>=500)?
• Next message (by thread): [stunnel-users] stunnel and expiring CRLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]