[stunnel-users] stunnel and expiring CRLs

Jason Haar Jason.Haar at trimble.co.nz
Thu Oct 30 10:31:18 CET 2008

Hi there

Is stunnel capable of re-reading updated CRLs on the fly? Without
needing to be restarted?

I have tried both CRLfile and CRLpath (with the hashes) with no luck. It
appear stunnel only reads them on startup and never refers to them
again? There also seems  to be no option to send a HUP or the like to
force a re-read - only a full restart will make stunnel re-read the
CRLs. i.e. our system works after a fresh restart until the original CRL
expires, and then stunnel starts rejecting new connections with "Found
CRL is expired - revoking all certificates until you get updated CRL" -
even though there have been several CRL file (and hash) updates in
between. Restarting stunnel makes it start working again.

I've googled around and see several other people have asked similar
questions over the years, and there are references by Michal Trojnara
that it should work?

This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No
chroot jail



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the stunnel-users mailing list