[stunnel-users] No way to keep the key encrypted?
joe at strout.net
joe at strout.net
Wed Nov 15 15:56:29 CET 2006
I see from the manual:
"Two things are important when generating certificate-key pairs for
stunnel. The private key cannot be encrypted, because the server has no
way to obtain the password from the user. To produce an unencrypted key
add the -nodes option when running the req command from the OpenSSL
kit."
This seems very dangerous to me; anybody who gets ahold of that key
file will then be able to impersonate my server, right? Symbian SSL
Proxy will simply ask me for my pass phrase when I launch it. Is there
any way to get stunnel to do something equivalent -- maybe by
decrypting it on the fly and piping it to stunnel on launch, so that
there is never a decrypted file on disk? Or maybe I can decrypt the
key to a file, launch stunnel, and then immediately delete that file?
How have others dealt with this?
Thanks,
- Joe
--
Joe Strout -- joe at strout.net
Verified Express, LLC "Making the Internet a Better Place"
http://www.verex.com/
More information about the stunnel-users
mailing list