I see from the manual:

"Two things are important when generating certificate-key pairs for stunnel. The private key cannot be encrypted, because the server has no way to obtain the password from the user. To produce an unencrypted key add the -nodes option when running the req command from the OpenSSL kit."

This seems very dangerous to me; anybody who gets ahold of that key file will then be able to impersonate my server, right? Symbian SSL Proxy will simply ask me for my pass phrase when I launch it. Is there any way to get stunnel to do something equivalent -- maybe by decrypting it on the fly and piping it to stunnel on launch, so that there is never a decrypted file on disk? Or maybe I can decrypt the key to a file, launch stunnel, and then immediately delete that file?

How have others dealt with this?

Thanks, - Joe

-- Joe Strout -- joe@strout.net Verified Express, LLC "Making the Internet a Better Place" http://www.verex.com/