[stunnel-users] No way to keep the key encrypted?

joe at strout.net joe at strout.net
Wed Nov 15 15:56:29 CET 2006


I see from the manual:

"Two things are important when generating certificate-key pairs for
stunnel. The private key cannot be encrypted, because the server has no
way to obtain the password from the user. To produce an unencrypted key
add the -nodes option when running the req command from the OpenSSL
kit."

This seems very dangerous to me; anybody who gets ahold of that key
file will then be able to impersonate my server, right?  Symbian SSL
Proxy will simply ask me for my pass phrase when I launch it.  Is there
any way to get stunnel to do something equivalent -- maybe by
decrypting it on the fly and piping it to stunnel on launch, so that
there is never a decrypted file on disk?  Or maybe I can decrypt the
key to a file, launch stunnel, and then immediately delete that file?

How have others dealt with this?

Thanks,
- Joe


--
Joe Strout -- joe at strout.net
Verified Express, LLC     "Making the Internet a Better Place"
http://www.verex.com/




More information about the stunnel-users mailing list