[stunnel-users] Passphrase validation

Peter Pentes colemanboy at yahoo.com
Thu Jun 23 01:34:17 CEST 2005


I agree.  It would be useful on the client side.

PP


--- Sergio Gelato <Sergio.Gelato at astro.su.se> wrote:

> Vasil Dimov wrote:
> 
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter
> Pentes wrote:
> >  
> >
> >>Sorry, what I am referring to here is actually the
> >>passphrase for the private keys, and how Stunnel
> does
> >>not support encrypted private keys.
> >>    
> >>
> >
> >This would be useless. How do you expect the
> passphrase for the
> >encrypted private key to be obtained at stunnel
> startup?
> >  
> >
> By prompting the user, or by reading it from a
> configuration file.
> 
> On the client side, prompting the user isn't
> necessarily bad or even 
> difficult.
> 
> I'll grant you that on the server side, or for
> unattended client-side 
> operation, there is little (if any) actual security
> benefit from using a 
> non-null passphrase and storing it in a separate
> file; however, some 
> software (e.g., Java) does work that way, and I
> don't see any harm in 
> having that possibility. There may also be some
> non-security benefits: 
> I've seen at least one CA policy that requires
> private keys to be stored 
> encrypted while not active,  and if you want to 
> comply with the letter 
> of such a  policy  you may  have to  use a non-null
> passphrase.
> 



		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com



More information about the stunnel-users mailing list