--- a/runtime/Stunnel.py	Tue Oct 23 16:13:34 2018 +0200
+++ b/runtime/Stunnel.py	Tue Oct 23 16:19:20 2018 +0200
@@ -1,10 +1,21 @@
 import os
-from binascii import hexlify
+#from binascii import hexlify
+from runtime.spawn_subprocess import call
 
 restart_stunnel_cmdline = ["/etc/init.d/S50stunnel","restart"]
 
+# stunnel takes no encoding for psk, so we try to lose minimum entropy 
+# by using all possible chars except '\0\n\r' (checked stunnel parser to be sure)
+translator = ''.join([(lambda c: '#' if c in '\0\n\r' else c)(chr(i)) for i in xrange(256)])
+
 def pskgen(ID, pskpath):
-    secretstring = hexlify(os.urandom(256))
+    secret = os.urandom(256) # 2048 bits is still safe nowadays
+
+    # following makes 512 length string, rejected by stunnel
+    # using binascii hexlify loses 50% entropy
+    # secretstring = hexlify(secret)
+
+    secretstring = secret.translate(translator)
     pskstring = ID+":"+secretstring
     with open(pskpath, 'w') as f:
         f.write(pskstring)
@@ -14,5 +25,5 @@
     # check if already there
     if not os.path.exists(pskpath):
         # create if needed
-        pskgen(IS, pskpath)
+        pskgen(ID, pskpath)