[stunnel-users] CRL checking
droppl at yahoo.ca
Wed Mar 2 19:05:48 CET 2016
I noticed a change in functionality of CRL checking in server mode
somewhere between stunnel version 5.2.00 and 5.31.00.
We have multiple services listening for incoming connections and a
global option CRLfile = crls.pem, with crls.pem containing a few CRLs
but not one for every possible client certificate, and client
certificates not all having a CRL distribution point configured.
This worked with the old version in the sense that all clients could
connect. I don't know If CRL checking really worked, they are all empty
and I can't test.
With the new version client certificates with no CRL and no CRL
distribution point configured got rejected with errors "CERT:
Pre-verification error: unable to get certificate CRL" and "SSL_accept:
routines:ssl3_get_client_certificate:certificate verify failed"
If I remove the global entry for CRLfile with the new version, all
clients can connect again. I guess I could enter the CRLfile option on
service level, but it could be that some client certificates connecting
to a specific service have a CRL and some don't.
Is this intended behaviour? I find it logical to check the CRL of a
client certificate, if there is one in the CRLfile, if there isn't, to
Does a CRL distribution point configured in a client certificate play
More information about the stunnel-users