[stunnel-users] client auth saga

markzero at logik.ath.cx markzero at logik.ath.cx
Mon Aug 30 20:57:57 CEST 2004


On Monday 30 of August 2004 20:38, markzero at logik.ath.cx wrote:
> To be honest, I'm just generally paranoid. I'd rather have a prospective
> attacker have to crack two passwords (the root and one wheel group) than
> one. I thought I'd write the above just so I didn't get a big lecture,
> hehe. :)

> You're not paranoid enough.  You still use passwords!  8-)

I'm currently in the process of moving everything over to keypairs. I'm
not blessed with security conscious users, and it's hard to get them
to understand that a keypair is actually more convenient (especially if
you use an agent). :)

> > I recommend to use CAfile instead of CApath for simple configurations.
> > It doesn't need a hashed directory and is not relative to chroot jail.
>
> So something like:
>
> CApath = /var/stunnel/certs

> No!
> CAfile = /var/stunnel/certs/your_cert.pem

Oops, yeah I see what you mean.

> I'm paranoid that someone has been at my testing configs now. :) I
> previously had a working setup, which worries me even further as I *did*
> use a symlink.

Yes, you can use symlinks, but instead of:
  ln -s /a/b/c/x /a/b/c/y
use:
  cd /a/b/c
  ln -s x y
Please notice (ls -l) the results are not the same!

That must have been it.

> Best regards,
>    Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFBM3dd/NU+nXTHMtERApCuAKDe+RWT1S0MQJ4Fr+FSyk8qyqwgpwCg4XED
> zBBeDZ6AU+LPU+iejancYGI=
> =8uvI
> -----END PGP SIGNATURE-----



More information about the stunnel-users mailing list