Fritz Gschwendner
2016-03-02 18:05:48 UTC
Hello,
I noticed a change in functionality of CRL checking in server mode
somewhere between stunnel version 5.2.00 and 5.31.00.
We have multiple services listening for incoming connections and a
global option CRLfile = crls.pem, with crls.pem containing a few CRLs
but not one for every possible client certificate, and client
certificates not all having a CRL distribution point configured.
This worked with the old version in the sense that all clients could
connect. I don't know If CRL checking really worked, they are all empty
and I can't test.
With the new version client certificates with no CRL and no CRL
distribution point configured got rejected with errors "CERT:
Pre-verification error: unable to get certificate CRL" and "SSL_accept:
14089086: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed"
If I remove the global entry for CRLfile with the new version, all
clients can connect again. I guess I could enter the CRLfile option on
service level, but it could be that some client certificates connecting
to a specific service have a CRL and some don't.
My questions:
Is this intended behaviour? I find it logical to check the CRL of a
client certificate, if there is one in the CRLfile, if there isn't, to
not check.
Does a CRL distribution point configured in a client certificate play
any role?
I noticed a change in functionality of CRL checking in server mode
somewhere between stunnel version 5.2.00 and 5.31.00.
We have multiple services listening for incoming connections and a
global option CRLfile = crls.pem, with crls.pem containing a few CRLs
but not one for every possible client certificate, and client
certificates not all having a CRL distribution point configured.
This worked with the old version in the sense that all clients could
connect. I don't know If CRL checking really worked, they are all empty
and I can't test.
With the new version client certificates with no CRL and no CRL
distribution point configured got rejected with errors "CERT:
Pre-verification error: unable to get certificate CRL" and "SSL_accept:
14089086: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed"
If I remove the global entry for CRLfile with the new version, all
clients can connect again. I guess I could enter the CRLfile option on
service level, but it could be that some client certificates connecting
to a specific service have a CRL and some don't.
My questions:
Is this intended behaviour? I find it logical to check the CRL of a
client certificate, if there is one in the CRLfile, if there isn't, to
not check.
Does a CRL distribution point configured in a client certificate play
any role?