[stunnel-users] auto-disconnecting people when CRL updated

David van Zijl davidvz at gmail.com
Thu Mar 25 18:17:26 CET 2010


Hello

Is it possible to get stunnel to disconnect people on a graceful restart
when a certificate has expired? Stunnel version 4.30 added the graceful
reload option which is great because it will allow us to reload the CRLs,
keep everybody connected and prevent new people connecting when their certs
have expired (tested and working) - however existing connections are not
terminated even though they have just expired... I'm not sure if we've
missed a configuration option or if this is just not possible.

A little background:
We host an IRC server listening on localhost:6667, on top of that we have
stunnel listening on the external interface port 6697
We're using the CAfile and CRLpath options to ensure that people are
connecting with a valid certificate.
Every hour a job runs to download the latest CRL files, if there is a change
it restarts stunnel and kicks everybody off (we'd like to use a graceful
restart instead)

We are running stunnel on Red Hat Linux using the following line inside an
init script to run it as a daemon: daemon /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf

Excerpt from stunnel.conf:
setuid = daemon
setgid = daemon
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[irc-in]
CAfile = /etc/ca/our-chains.pem
CRLpath = /etc/crl
accept = 192.168.0.1:6697setuid = daemon
setgid = daemon

connect = localhost:6667
verify = 2


Running stunnel -version tells me:
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

Global options
debug           = daemon.notice
pid             = /var/run/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level options
cert            = /etc/stunnel/stunnel.pem
ciphers         = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
session         = 300 seconds
stack           = 65536 bytes
sslVersion      = SSLv3 for client, all for server
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

Kind Regards
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100325/3ccaae19/attachment.html>


More information about the stunnel-users mailing list