Hi Ludolf, 

I meant the server's CApath directory (the one configured into stunnel.conf). 

So the client must decrypt its copy of the key, but my stunnel server doesn't need to know the password, as I supposed. 

Thank you 

G


2015-07-03 13:12 GMT+02:00 Ludolf Holzheid <lholzheid@bihl-wiedemann.de>:
On Fri, 2015-07-03 11:33:40 +0200, Giona Il Profeta wrote:
> Hi all,
>
> I have inherited an old stunnel installation, configured for mutual
> authentication (verify=3) and I'm trying to figure out some of the choices
> of the old sysadmin.
>
> One of the client certificates in the CApath directory has its private key
> encrypted with a password.
>
> Is the client supposed to provide the password to decrypt the key when it
> connects?

Which CApath?

If it's the one on the client box:  Yes, the client is supposed to
enter the password when stunnel is started.

If it's the one on the server box:  The peer's private key is not used
by stunnel, so no, there is no need for the password.

HTH

Ludolf


--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:lholzheid@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users