[stunnel-users] Is there a way to specify certificate content in stunnel config

Peter Pentchev roam at ringlet.net
Tue Jul 24 13:11:05 CEST 2018


On Tue, Jul 24, 2018 at 10:27:12AM +0000, Hari wrote:
> Hi Eric,
> 
> I run my application with stunnel in the client mode (client = yes in
> config file) . I do not have control on the stunnel running in server
> mode though. 
> 
> If i understand your mail correctly, the hack is to copy the certs to
> any local directory that should be accessible and then delete the same
> after the connection is established? I dont have problems maintaining
> the pem files if i can access the file system to create them, but i am
> exploring an option, which i couldnt figure out from the stunnel
> documentation, if i can specify the certs inside the configuration file
> for stunnel itself rather than feeding them through a file. I have an
> environment where the certificates and keys are available as strings to
> my applications and hence the idea is to use them directly in stunnel
> config rather than as a file.

AFAIK, stunnel does not have such an option; it always reads
the certificates from a file.  Writing them out to files in a temporary
directory might suit your needs.  If your application needs stunnel only
for a single connection and it runs on a Unix system, you don't even
need to run it in inetd mode as suggested by Eric; write out the files,
write out a config file with "foreground = yes", then start stunnel as a
child process of your application; you may even kill it when your
connection is done.

G'luck,
Peter

>     On Tuesday, July 24, 2018, 4:20:32 AM GMT+5:30, Eric S Eberhard <flash at vicsmba.com> wrote:  
>  
>  
> Use stunnel in inetd mode.  Execute a script (or better C program).  Copy the certificates for making the stunnel connection to a directory that is OK … then delete them immediately after stunnel starts.  Hack – but might be OK for what you are doing.
> 
>   
> 
> I am not sure why anyone would think it more secure to put the keys into the stunnel command than to just use them from a file … but I likely do not know enough about your application to make a judgement.
> 
>   
> 
> Eric
> 
>   
> 
>   
> 
> Eric S Eberhard
> 
> VICS (Vertical Integrated Computer Systems)
> 
> Voice: 928 567 3529
> 
> Cell    : 928 301 7537  (not reliable except for text or if not home)
> 
> 2933 W Middle Verde Rd
> 
> Camp Verde, AZ  86322
> 
>   
> 
> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Hari
> Sent: Thursday, July 19, 2018 4:42 AM
> To: stunnel-users at stunnel.org
> Subject: [stunnel-users] Is there a way to specify certificate content in stunnel config
> 
>   
> 
> Hi,
> 
>   
> 
> I have a requirement where in i cannot specify the certificate and/or private key details as "files" to stunnel configuration, owing to the location and/or file system availability for stunnel to access them.
> 
>   
> 
> Is there a way to specify the actual certificate content in stunnel configuration (similar to other parameters like port numbers etc.,) so that the same can be leveraged.
> 
>   
> 
> Thanks
> 
> Hari
> 
>   
> 
> | 
> 
>  | 
> Virus-free. www.avg.com 
>  |
> 
> 
>   
>   

> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


-- 
-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180724/63c3d1ce/attachment.sig>


More information about the stunnel-users mailing list