How to make stunnel reload certificate files without restarting it?

Question

I have a server with stunnel, to which clients connect. Each client has it's own self-signed certificate, and copy of that certificate lies in CApath directory on the server - so I am in control of who can access the server and who can not.

When I need to forbid access for some client, I delete the certificate and run "service stunnel4 restart". It works just fine, but it certainly breaks the connections that are already in progress at the time of restart.

Is there a way to make stunnel see that the certificate is no longer valid without restarting it?

score 7 · Answer 1 · answered May 30 '12 at 03:01

7

Try killall -HUP stunnel

Version 4.30, released on 2010.01.21 contained the following enhancement:

Graceful configuration reload with HUP signal on Unix and with GUI on Windows.

answered May 30 '12 at 03:01

Jeremy W

3,659

score 0 · Answer 2 · edited May 29 '12 at 19:35

You could configure an exclusive port number per user and put the client certificate in a sub-dir of /etc/ssl/certs with that port number, e.g. /etc/ssl/certs/34221.

Configure your client stunnel.conf with that port.

Start one stunnel server per port with a stunnel.conf containing

cert = /etc/ssl/certs/myserver_cert.pem
CAfile = /etc/ssl/certs/cacert.pem
CApath = /etc/ssl/certs/34221

Then you have separated your user access.

How to make stunnel reload certificate files without restarting it?

2 Answers2