[stunnel-users] key+cert+dh risks

Jean-Yves F. Barbier 12ukwn at gmail.com
Sun Feb 13 22:45:06 CET 2011

On Sun, 13 Feb 2011 22:21:10 +0100, Ludolf Holzheid
<lholzheid at bihl-wiedemann.de> wrote:

> On Sat, 2011-02-12 14:32:19 +0100, Jean-Yves F. Barbier wrote:
> > [..]
> > 
> > Hmmm, so it looks like may the entropy may be higher with 2 different keys.
> Yes, but if this was more than a hypothetical problem, there would be
> a counter for uses of the key and a recommendation to use a new key
> after a certain number of uses.

For my own security, keys are rotated on a monthly basis.

> Think of how many times the web
> banking servers use their key ...

I totally agree with this.
> Don't be too concerned about that.

Yes, I am, because it is not the bank interests I protect, but mine!

The advantage of this question is it forced me to read more about openssl,
and now I think I'm gonna do it by the rules: separating every parts into
different files because the exercice is interesting and also because I'll soon
need to configurate a larger network of clients.

However, openssl lacks *real long term* security features (why signing into
sha1 instead of sha384 or sha512 when it is quite surely already broken by gov
Sces?), and is also somehow suspect (remember the 1 line bug that have lasted
for a looong time? After disclosure it was fixed but not a word from
the team about it and not a line in the changelog too......)

What I also wouldn't like is somebody record the whole connexion and decode it
several years after, once the computer farms power is high enough.

The right to revolt has sources deep in our history.
		-- Supreme Court Justice William O. Douglas

More information about the stunnel-users mailing list