[stunnel-users] stunnel and expiring CRLs
sandeep.iiit at gmail.com
Wed Nov 19 06:37:25 CET 2008
I have also been bitten by this problem. I didn't try much though. I just
wrote some scripts to automatically restart the stunnel when CRL is updated.
It might not be feasible for your case though.
On Wed, Nov 19, 2008 at 6:13 AM, Jason Haar <Jason.Haar at trimble.co.nz>wrote:
> Hi there
> I got no reply to this. Isn't anyone else using CRLs?
> Jason Haar wrote:
> > Hi there
> > Is stunnel capable of re-reading updated CRLs on the fly? Without
> > needing to be restarted?
> > I have tried both CRLfile and CRLpath (with the hashes) with no luck. It
> > appear stunnel only reads them on startup and never refers to them
> > again? There also seems to be no option to send a HUP or the like to
> > force a re-read - only a full restart will make stunnel re-read the
> > CRLs. i.e. our system works after a fresh restart until the original CRL
> > expires, and then stunnel starts rejecting new connections with "Found
> > CRL is expired - revoking all certificates until you get updated CRL" -
> > even though there have been several CRL file (and hash) updates in
> > between. Restarting stunnel makes it start working again.
> > I've googled around and see several other people have asked similar
> > questions over the years, and there are references by Michal Trojnara
> > that it should work?
> > This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No
> > chroot jail
> > Thanks!
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> stunnel-users mailing list
> stunnel-users at mirt.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the stunnel-users