[stunnel-users] SSLPassPhraseDialog

• Previous message (by thread): [stunnel-users] SSLPassPhraseDialog
• Next message (by thread): [stunnel-users] ssl renegotiation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well ... we've done things like cronning a swap-in of a config file that points at a passphrase file, starting an app, then swapping out the config file for a generic one.  Yes, it's just a shell game, and security through obscurity ... but if a hacker gets in, they're usually in a hurry, and would probably assume we just manually startup and enter our passphrase, since the key is encrypted. 

I'd be interested, too, if it's possible.

-----Original Message-----
From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara
Sent: Tuesday, November 23, 2010 3:29 AM
To: stunnel-users at mirt.net
Subject: EXTERNAL: Re: [stunnel-users] SSLPassPhraseDialog

"Avinash Gaonkar" <agaonkar at gmail.com> wrote:
> How can we configure ssl key passphrase in stunnel config file.
> for. eg SSLPassPhraseDialog  exec:/path/to/passphrase-file
> parameter we have in apache, so no need to key in password
> every time when we restart service.

Passphrase in a file is a very bad idea.  It makes the solution more
complex without any security benefit (in fact it makes things even worse if
you re-use your passphrase anywhere else).  Simply decrypt your private key
instead and use filesystem permissions to protect it.

Mike
_______________________________________________
stunnel-users mailing list
stunnel-users at mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

• Previous message (by thread): [stunnel-users] SSLPassPhraseDialog
• Next message (by thread): [stunnel-users] ssl renegotiation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]