Well ... we've done things like cronning a swap-in of a config file that points at a passphrase file, starting an app, then swapping out the config file for a generic one. Yes, it's just a shell game, and security through obscurity ... but if a hacker gets in, they're usually in a hurry, and would probably assume we just manually startup and enter our passphrase, since the key is encrypted.
I'd be interested, too, if it's possible.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michal Trojnara Sent: Tuesday, November 23, 2010 3:29 AM To: [email protected] Subject: EXTERNAL: Re: [stunnel-users] SSLPassPhraseDialog
"Avinash Gaonkar" [email protected] wrote:
How can we configure ssl key passphrase in stunnel config file. for. eg SSLPassPhraseDialog exec:/path/to/passphrase-file parameter we have in apache, so no need to key in password every time when we restart service.
Passphrase in a file is a very bad idea. It makes the solution more complex without any security benefit (in fact it makes things even worse if you re-use your passphrase anywhere else). Simply decrypt your private key instead and use filesystem permissions to protect it.
Mike _______________________________________________ stunnel-users mailing list [email protected] http://stunnel.mirt.net/mailman/listinfo/stunnel-users