How to make stunnel reload certificate files without restarting it?
Solution 1
Try killall -HUP stunnel
Version 4.30, released on 2010.01.21 contained the following enhancement:
Graceful configuration reload with HUP signal on Unix and with GUI on Windows.
Solution 2
You could configure an exclusive port number per user and put the client certificate in a sub-dir of /etc/ssl/certs
with that port number, e.g. /etc/ssl/certs/34221
.
Configure your client stunnel.conf with that port.
Start one stunnel server per port with a stunnel.conf
containing
cert = /etc/ssl/certs/myserver_cert.pem
CAfile = /etc/ssl/certs/cacert.pem
CApath = /etc/ssl/certs/34221
Then you have separated your user access.
Related videos on Youtube
Rogach
Updated on September 18, 2022Comments
-
Rogach over 1 year
I have a server with stunnel, to which clients connect. Each client has it's own self-signed certificate, and copy of that certificate lies in CApath directory on the server - so I am in control of who can access the server and who can not.
When I need to forbid access for some client, I delete the certificate and run "service stunnel4 restart". It works just fine, but it certainly breaks the connections that are already in progress at the time of restart.
Is there a way to make stunnel see that the certificate is no longer valid without restarting it?