[stunnel-users] CRL checking

Fritz Gschwendner droppl at yahoo.ca
Wed Mar 2 19:05:48 CET 2016


I noticed a change in functionality of CRL checking in server mode
somewhere between stunnel version 5.2.00 and 5.31.00.

We have multiple services listening for incoming connections and a
global option CRLfile = crls.pem, with crls.pem containing a few CRLs
but not one for every possible client certificate, and client
certificates not all having a CRL distribution point configured.

This worked with the old version in the sense that all clients could
connect. I don't know If CRL checking really worked, they are all empty
and I can't test.

With the new version client certificates with no CRL and no CRL
distribution point configured got rejected with errors "CERT:
Pre-verification error: unable to get certificate CRL" and "SSL_accept:
14089086: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed"

If I remove the global entry for CRLfile with the new version, all
clients can connect again. I guess I could enter the CRLfile option on
service level, but it could be that some client certificates connecting
to a specific service have a CRL and some don't.

My questions:

Is this intended behaviour? I find it logical to check the CRL of a
client certificate, if there is one in the CRLfile, if there isn't, to
not check.

Does a CRL distribution point configured in a client certificate play
any role?

More information about the stunnel-users mailing list