[stunnel-users] CRLPath not working

This is a discussion on [stunnel-users] CRLPath not working within the Stunnel Users forums, part of the Networking and Network Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C68E7E.621B6C2B Content-Type: multipart/alternative; boundary="----_=_NextPart_002_01C68E7E....

		Usenet Forums > Networking and Network Related > Stunnel Users
[stunnel-users] CRLPath not working

LinkBack

Thread Tools

Display Modes

#1 (permalink)

06-13-2006

Nagasundaram, Sekhar

Posts: n/a

[stunnel-users] CRLPath not working

This is a multi-part message in MIME format.

------_=_NextPart_001_01C68E7E.621B6C2B
Content-Type: multipart/alternative;
boundary="----_=_NextPart_002_01C68E7E.621B6C2B"

------_=_NextPart_002_01C68E7E.621B6C2B
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Mike:

Here are the configuration and the log files as you requested....

---------------------------------------------BEGIN CONFIG
---------------------------------
# switch-simulator stunnel configuration file
# Copyright by Michal Trojnara 2002
=20
# Certs and keys
cert =3D /etc/certs/demoedge2-cert.pem
key =3D /etc/keys/demoedge2-key.pem
=20
# PID is created inside chroot jail
pid =3D /var/opt/stunnel/stunnel_server.pid
=20
# Authentication stuff
verify =3D 2
options =3D NO_SSLv2
=20
# don't forget about c_rehash CApath
# it is located inside chroot jail:
=20
CApath =3D /etc/CApath
=20
# CRL path or file (inside chroot jail):
CRLpath =3D /etc/crl
=20
=20
# Some debugging stuff

debug =3D local4.5
output =3D /var/opt/log/pras_test_server.log
=20
# Use it for client mode
#client =3D no
=20
# Service-level configuration
=20
[APF]
accept =3D 10.172.86.128:51101
connect =3D 127.0.0.1:50111

----------------------------------------------END CONFIG
----------------------------------
--------------------------------------------- BEGIN LOG FILE
-------------------------------

2006.06.11 19:27:25 LOG5[8839:7]: CA CRL: Issuer: /C=3DUS/O=3DVISA CRL
ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225
2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=3D2,
/C=3DUS/O=3DVISA/OU=3DVisa International Service Association/CN=3DTEST =
Visa Info
Delivery Root CA
2006.06.12 17:41:52 LOG5[8839:8]: CA CRL: Issuer: /C=3DUS/O=3DVISA CRL
ISSUER>, , lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371
2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=3D2, <VISA CA>
2006.06.12 23:01:08 LOG5[8839:9]: CA CRL: Issuer: /C=3DUS/O=3DVISA CRL
ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket

------------------------------------------- END LOG FILE
--------------------------------------
On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote:
> We download crls everyday from a CRL server using LDAP and a cronjob.
> These CRLs are stored in the CRLpath directory along with its hash.
> It appears that the stunnel is not refreshing its cache, and it
> still shows "Found CRL is expired - revoking all certificates until
> you get updated CRL" when we try to connect to it even though there is

> a
> New and valid CRL in the CRLPath folder. Is there a special option
> In Stunnel configuration for it to recognize/cache/add the new hash=20
> file

Just to make sure: the problem disappears after restarting stunnel,=20
right?

The simple workaround could be disabling all SSL caches:
../configure --with-threads=3Dfork
make clean
make
make install

Can you send your stunnel.conf and debug log?

TIA,
Mike

Sekhar Nagasundaram
<<Nagasundaram, Sekhar.vcf>>=20

------_=_NextPart_002_01C68E7E.621B6C2B
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7232.36">
<TITLE>[stunnel-users] CRLPath not working </TITLE>
</HEAD>
<BODY>

 

Mike:


Here are the configuration =
and the log files as you requested….


---------------------------------------------BEGIN CONFIG =
---------------------------------

 # switch-simulator stunnel =
configuration file

 # Copyright by Michal Trojnara =
2002

  

 # Certs and keys

 cert =3D =
/etc/certs/demoedge2-cert.pem

 key =3D =
/etc/keys/demoedge2-key.pem

  

 # PID is created inside chroot =
jail

 pid =3D =
/var/opt/stunnel/stunnel_server.pid

  

 # Authentication stuff

 verify =3D 2

 options =3D NO_SSLv2

  

 # don't forget about c_rehash =
CApath

 # it is located inside chroot =
jail:

  

 CApath =3D /etc/CApath

  

 # CRL path or file (inside chroot =
jail):

 CRLpath =3D /etc/crl

  

  

 # Some debugging stuff


debug =3D local4.5

 output =3D =
/var/opt/log/pras_test_server.log

  

 # Use it for client mode

 #client =3D no

  

 # Service-level configuration

  

 [APF]

 accept  =3D =
10.172.86.128:51101

 connect =3D 127.0.0.1:50111


----------------------------------------------END CONFIG =
----------------------------------

 --------------------------------------------- BEGIN LOG FILE =
-------------------------------

 

2006.06.11 19:27:25 LOG5[8839:7]: =
CA CRL: Issuer: =
/C=3DUS/O=3DVISA CRL ISSUER>, =
lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 =
2006 GMT

2006.06.11 19:27:25 LOG4[8839:7]: =
Found CRL is expired - revoking all certificates until you get updated =
CRL

 2006.06.11 19:27:25 LOG3[8839:7]: =
SSL_accept: 140890B2: error:140890B2:SSL =
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

2006.06.11 19:27:25 LOG5[8839:7]: =
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

 2006.06.12 17:41:52 LOG5[8839:8]: APF =
connected from 10.172.86.96:35225

 2006.06.12 17:41:52 LOG5[8839:8]: =
VERIFY OK: depth=3D2, /C=3DUS/O=3DVISA/OU=3DVisa International Service =
Association/CN=3DTEST Visa Info Delivery Root CA

2006.06.12 17:41:52 LOG5[8839:8]: =
CA CRL: Issuer: =
/C=3DUS/O=3DVISA CRL ISSUER>, , =
lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 =
2006 GMT

2006.06.12 17:41:52 LOG4[8839:8]: =
Found CRL is expired - revoking all certificates until you get updated =
CRL

 2006.06.12 17:41:52 LOG3[8839:8]: =
SSL_accept: 140890B2: error:140890B2:SSL =
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

2006.06.12 17:41:52 LOG5[8839:8]: =
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

 2006.06.12 23:01:08 LOG5[8839:9]: APF =
connected from 10.172.86.96:35371

 2006.06.12 23:01:08 LOG5[8839:9]: =
VERIFY OK: depth=3D2, <VISA CA>

 2006.06.12 23:01:08 LOG5[8839:9]: =
CA CRL: Issuer: =
/C=3DUS/O=3DVISA CRL ISSUER>, =
lastUpdate: Jun  9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 =
2006 GMT

2006.06.12 23:01:08 LOG4[8839:9]: =
Found CRL is expired - revoking all certificates until you get updated =
CRL

 2006.06.12 23:01:08 LOG3[8839:9]: =
SSL_accept: 140890B2: error:140890B2:SSL =
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

2006.06.12 23:01:08 LOG5[8839:9]: =
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket


------------------------------------------- END LOG FILE =
--------------------------------------

 On 2006-06-12, at 22:17, =
Nagasundaram, Sekhar wrote: 
> We download crls everyday from a CRL server using LDAP and a =
cronjob. 
> These CRLs are stored in the CRLpath directory along with =
its hash. 
> It appears that the stunnel is not refreshing its cache, and =
it 
> still shows "Found CRL is expired - revoking all =
certificates until 
> you get updated CRL" when we try to connect to it even =
though there is 
> a 
> New and valid CRL in the CRLPath folder. Is there a special =
option 
> In Stunnel configuration for it to recognize/cache/add the =
new hash 
> file 
 
Just to make sure: the problem disappears after restarting stunnel, 
right? 
 
The simple workaround could be disabling all SSL caches: 
../configure --with-threads=3Dfork 
make clean 
make 
make install 
 
Can you send your stunnel.conf and debug log? 
 
TIA, 
     Mike

 

Sekhar =
Nagasundaram

 =
<<Nagasundaram, Sekhar.vcf>> 


</BODY>
</HTML>
------_=_NextPart_002_01C68E7E.621B6C2B--

------_=_NextPart_001_01C68E7E.621B6C2B
Content-Type: text/x-vcard;
name="Nagasundaram, Sekhar.vcf"
Content-Transfer-Encoding: base64
Content-Description: Nagasundaram, Sekhar.vcf
Content-Disposition: attachment;
filename="Nagasundaram, Sekhar.vcf"

QkVHSU46VkNBUkQNClZFUlNJT046Mi4xDQpOOk5hZ2FzdW5kYX JhbTtTZWtoYXINCkZOOk5hZ2Fz
dW5kYXJhbSwgU2VraGFyDQpPUkc6SW5vdmFudDtHYXRld2F5IE VuZ2luZWVyaW5nDQpUSVRMRTpD
aGllZiBTeXN0ZW1zIEFyY2hpdGVjdA0KVEVMO1dPUks7Vk9JQ0 U6Nig3MjApMjg4OQ0KVEVMO0NF
TEw7Vk9JQ0U6KDY1MCk2MTktNDQ3NA0KQURSO1dPUks6O000LT YwMjc7ODAxIE1ldHJvIENlbnRl
ciBCbHZkLjtGb3N0ZXIgQ2l0eTtDQTs5NDQwNDtVU0ENCkxBQk VMO1dPUks7RU5DT0RJTkc9UVVP
VEVELVBSSU5UQUJMRTpNNC02MDI3PTBEPTBBODAxIE1ldHJvIE NlbnRlciBCbHZkLj0wRD0wQUZv
c3RlciBDaXR5LCBDQSA5NDQwND0wRD0wQVVTQQ0KRU1BSUw7UF JFRjtJTlRFUk5FVDpzbmFnYXN1
bkB2aXNhLmNvbQ0KUkVWOjIwMDYwMzE3VDIzMjE0M1oNCkVORD pWQ0FSRA0K

------_=_NextPart_001_01C68E7E.621B6C2B
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

------_=_NextPart_001_01C68E7E.621B6C2B--

« Previous Thread | Next Thread »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are Off [IMG] code is Off HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

All times are GMT +1. The time now is 12:34 PM.