[stunnel-users] Passphrase validation

Vasil Dimov vd at datamax.bg
Wed Jun 22 14:38:46 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jun 22, 2005 at 01:20:10PM +0100, Colin McKinnon wrote:
> On Wednesday 22 June 2005 13:12, Vasil Dimov wrote:
> > On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter Pentes wrote:
> > > Sorry, what I am referring to here is actually the
> > > passphrase for the private keys, and how Stunnel does
> > > not support encrypted private keys.
> >
> > This would be useless. How do you expect the passphrase for the
> > encrypted private key to be obtained at stunnel startup?
> 
> Apache manages it.
> 

Encrypted private keys will prevent stunnel from automatic startup,
after a power failure or some other accidential machine reboot.

And even being crypted on the filesystem once decrypted the private key
will stay in memory unencrypted all the time. If someone breaks in the
machine while it is running he/she will get the key from memory not from
the filesystem.

The only use of crypted private keys (for deamon-services) I can think
of is that you can prevent someone from stealing your private key if
he/she steals physically the harddisk or the whole machine from your
server-room. And even this has the major disadvantage that the service
will not start without human intervention (the private key's passphrase
input) after unexpected reboots.
-----BEGIN PGP SIGNATURE-----

iD8DBQFCuVvWFw6SP/bBpCARAuTEAJ0bdKAURvMh4VZA7QEXplNYySrxTQCgoOBH
XY4ftFyPqY36xDdZww6kSFU=
=2/nK
-----END PGP SIGNATURE-----



More information about the stunnel-users mailing list