[stunnel-users] No cert?
Małgorzata Olszówka
gosia at olszowka.net
Wed Sep 28 17:37:22 CEST 2016
> Is there any way to configure a Stunnel server so that it doesn’t require a cert at all?
> I implement peer authentication using other means; I just want session encryption from Stunnel.
> Ideally, I’d like keys to be generated on-the-fly for each new connection. I don’t mind if this takes a few seconds…
Hi, Dave!
The encryption keys in SSL are dynamically negotiated by the two
endpoints at the start of the connection, after authentication has
concluded. Thus encryption by itself offers no security value in case of
man-in-the-middle or interception attack. This just means you are now
negotiating an encryption key with the attacker and directly sending
them your data. So the authentication is no less important than the
encryption.
If you do not want to use any certificates, you can configure
authentication with PSK (Pre-Shared Key). It provides both client and
server authentication. PSK authentication requires stunnel version 5.09
or higher and OpenSSL version at least 1.0.0.
Look here for a configuration example:
http://www.stunnel.org/auth.html
Regards.
---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
More information about the stunnel-users
mailing list