Bucci, David G
david.g.bucci at lmco.com
Tue Nov 23 22:46:40 CET 2010
Well ... we've done things like cronning a swap-in of a config file that points at a passphrase file, starting an app, then swapping out the config file for a generic one. Yes, it's just a shell game, and security through obscurity ... but if a hacker gets in, they're usually in a hurry, and would probably assume we just manually startup and enter our passphrase, since the key is encrypted.
I'd be interested, too, if it's possible.
From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara
Sent: Tuesday, November 23, 2010 3:29 AM
To: stunnel-users at mirt.net
Subject: EXTERNAL: Re: [stunnel-users] SSLPassPhraseDialog
"Avinash Gaonkar" <agaonkar at gmail.com> wrote:
> How can we configure ssl key passphrase in stunnel config file.
> for. eg SSLPassPhraseDialog exec:/path/to/passphrase-file
> parameter we have in apache, so no need to key in password
> every time when we restart service.
Passphrase in a file is a very bad idea. It makes the solution more
complex without any security benefit (in fact it makes things even worse if
you re-use your passphrase anywhere else). Simply decrypt your private key
instead and use filesystem permissions to protect it.
stunnel-users mailing list
stunnel-users at mirt.net
More information about the stunnel-users