Den 3. dec 2004, kl. 13:23, skrev Jean-Pierre Schwickerath:
Storing a passphrase in a file, especially for roadwarriors is
tantamount to writing it on a sticky note. It defeats the whole point
of their being a knowledge aspect to the authentication. Locking a
door with two keys instead of one isn't much use if both keys are on
the same ring.
Every decent program storing certificates should allow the user to
decrypt his/her certificate with the password supplied by the CA and
then reencrypt it with a passphrase chosen by the user.
And openssl does this. However, due to a bug, which i tried to report,
this might result in a 0 byte sized file. The problem is that if a user
not type the same password twice, the file is destroyed, probably
once you type in the old password, and it matches, then openssl deletes
the content of the file, and only writes it again if it matches.
Openvpn-users mailing list