[stunnel-users] No cert?

Małgorzata Olszówka gosia at olszowka.net
Wed Sep 28 17:37:22 CEST 2016


> Is there any way to configure a Stunnel server so that it doesn’t require a cert at all?
> I implement peer authentication using other means; I just want session encryption from Stunnel.
> Ideally, I’d like keys to be generated on-the-fly for each new connection.  I don’t mind if this takes a few seconds…

Hi, Dave!

The encryption keys in SSL are dynamically negotiated by the two 
endpoints at the start of the connection, after authentication has 
concluded. Thus encryption by itself offers no security value in case of 
man-in-the-middle or interception attack. This just means you are now 
negotiating an encryption key with the attacker and directly sending 
them your data. So the authentication is no less important than the 
encryption.

If you do not want to use any certificates, you can configure 
authentication with PSK (Pre-Shared Key). It provides both client and 
server authentication. PSK authentication requires stunnel version 5.09 
or higher and OpenSSL version at least 1.0.0.
Look here for a configuration example:
http://www.stunnel.org/auth.html

Regards.

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus




More information about the stunnel-users mailing list