[stunnel-users] Client Authentication and CRL Verification

Jean-Philippe Constant jean.philippe.constant at gmail.com
Tue Oct 16 14:36:25 CEST 2012


I am using stunnel in server mode with mutual authentication. The PKI used
to authenticate my client is the following : root CA ->  Intermediate CA ->

My stunnel configuration is :

CAfile = RootCA.pem

CRLfile = IntermediateCACRL.pem

verify = 2

RootCA.pem contains the Root CA certificate

IntermediateCACRL.pem contains the CRL file of the Intermediate CA

The client authentication with client certificate goes well. The problem
occurs when a client certificate is revoked. After the Intermediate CA CRL
updates, the client certificate is still accepted whereas it should be

With the following configuration the revoked certificate is refused :

CAfile = IntermediateCA.pem

CRLfile = IntermediateCACRL.pem

verify = 2

but I would prefer using the first configuration.

Everything happens like if stunnel checks the crl only for the CA
certificate and not for the whole certification chain.

Thank you for your answers,

Jean-Philippe Constant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121016/df76ae04/attachment.html>

More information about the stunnel-users mailing list