[stunnel-users] stunnel and expiring CRLs

Jason Haar Jason.Haar at trimble.co.nz
Wed Nov 19 01:43:55 CET 2008

Hi there

I got no reply to this. Isn't anyone else using CRLs?


Jason Haar wrote:
> Hi there
> Is stunnel capable of re-reading updated CRLs on the fly? Without
> needing to be restarted?
> I have tried both CRLfile and CRLpath (with the hashes) with no luck. It
> appear stunnel only reads them on startup and never refers to them
> again? There also seems  to be no option to send a HUP or the like to
> force a re-read - only a full restart will make stunnel re-read the
> CRLs. i.e. our system works after a fresh restart until the original CRL
> expires, and then stunnel starts rejecting new connections with "Found
> CRL is expired - revoking all certificates until you get updated CRL" -
> even though there have been several CRL file (and hash) updates in
> between. Restarting stunnel makes it start working again.
> I've googled around and see several other people have asked similar
> questions over the years, and there are references by Michal Trojnara
> that it should work?
> This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No
> chroot jail
> Thanks!


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the stunnel-users mailing list