--- /usr/local/src/stunnel-4.26/src/verify.c	2008-05-18 12:56:24.000000000 +0200
+++ /usr/local/src/stunnel-4.26-crl/src/verify.c	2008-10-24 17:27:21.000000000 +0200
@@ -225,6 +225,7 @@
     int i, n, rc;
     char *cp;
     ASN1_TIME *last_update=NULL, *next_update=NULL;
+    int good_crl=0;
 
     /* determine certificate ingredients in advance */
     cert=X509_STORE_CTX_get_current_cert(callback_ctx);
@@ -277,6 +278,7 @@
             return 0; /* reject connection */
         }
         X509_OBJECT_free_contents(&obj);
+        good_crl = 1;
     }
 
     /* try to retrieve a CRL corresponding to the _issuer_ of
@@ -312,6 +314,17 @@
             }
         }
         X509_OBJECT_free_contents(&obj);
+        good_crl = 1;
+    }
+    
+    if (good_crl == 0) {
+        if ((local_options.crl_dir != NULL) || (local_options.crl_file != NULL)) {
+            s_log(LOG_ERR, "No CRL found to verify '%s' certificate.", subject_name);
+            return 0; /* CRL use was explicitly specified so reject connection */
+        } else {
+            s_log(LOG_WARNING, "No CRL found to verify '%s' certificate.", subject_name);
+            return 1; /* just warn in logs */
+        }
     }
     s_log(LOG_NOTICE, "CRL: verification passed");
     return 1; /* accept connection */