Well ... we've done things like cronning a swap-in of a config file that points at a passphrase file, starting an app, then swapping out the config file for a generic one. Yes, it's just a shell game, and security through obscurity ... but if a hacker gets in, they're usually in a hurry, and would probably assume we just manually startup and enter our passphrase, since the key is encrypted.
I'd be interested, too, if it's possible.
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Michal Trojnara Sent: Tuesday, November 23, 2010 3:29 AM To: stunnel-users@mirt.net Subject: EXTERNAL: Re: [stunnel-users] SSLPassPhraseDialog
"Avinash Gaonkar" agaonkar@gmail.com wrote:
How can we configure ssl key passphrase in stunnel config file. for. eg SSLPassPhraseDialog exec:/path/to/passphrase-file parameter we have in apache, so no need to key in password every time when we restart service.
Passphrase in a file is a very bad idea. It makes the solution more complex without any security benefit (in fact it makes things even worse if you re-use your passphrase anywhere else). Simply decrypt your private key instead and use filesystem permissions to protect it.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users