[stunnel-users] Individual user certs for each person who uses Windows PC
Pierre DELAAGE
delaage.pierre at free.fr
Tue Aug 31 08:07:42 CEST 2010
Hello,
I suggest you have a look at the windows "subst" command (available in
ALL versions of windows),
that allows a virtual drive to be mapped to a directory.
So you can imagine that stunnel always uses the cert Z:/acert.pem
but with the Z drive pointing to C:\users\userA\, or to ...userB...,
with a simple startup bat script.
If the script fails, then NO risk that userB uses cert of user A.
But in that case stunnel must be started ALSO in the startup menu script
(the same as that doing the "subst"),
and NOT as a service.
Hope this may help,
Pierre
Le 31/08/2010 00:54, Bucci, David G a écrit :
> Thx for replying, Scott ... how did you handle multiple users on the
> PC, though? They all shared that cert?
>
> I thought about having a single location and copying to there on user
> login (from a standard location in a user's home dir, e.g.) ... then
> firing up stunnel ... but it seems like so much can go wrong,
> resulting in User B accessing using User A's certificate (because the
> copy failed, e.g.). And we're leery of exposing User A's cert to User
> B - especially since stunnel doesn't support encryption of the user's
> key, right? So the permissions would be a little tricky and maybe fragile.
>
> Seems like there should be a straightforward way to do it, dadnabit!
>
> ------------------------------------------------------------------------
> *From*: Scott Gifford <sgifford at suspectclass.com>
> *To*: Bucci, David G
> *Cc*: stunnel-users at mirt.net <stunnel-users at mirt.net>
> *Sent*: Mon Aug 30 17:41:09 2010
> *Subject*: EXTERNAL: Re: [stunnel-users] Individual user certs for
> each person who uses Windows PC
>
> On Mon, Aug 30, 2010 at 3:41 PM, Bucci, David G
> <david.g.bucci at lmco.com <mailto:david.g.bucci at lmco.com>> wrote:
> [ ... ]
>
> I've tried using envvars in the stunnel.conf (e.g., cert =
> %USERPROFILE%\usercert.pem), tried adjusting the command line to
> include "-p %USERPROFILE%\usercert.pem" as an option ...
>
>
> We implemented something similar by simply making a "C:\stunnel"
> directory on each PC, naming the certificate the same thing on all
> machines, then hardcoding that path into the stunnel configuration
> (e.g. "C:\stunnel\usercert.pem"). Not quite as nice as
> %USERPROFILE%\usercert.pem, but it worked. :-)
>
> Hope this is helpful,
>
> ----Scott.
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100831/2c4b2144/attachment.html>
More information about the stunnel-users
mailing list