Re: How to set up TLS-PSK with Tomcat

2014-09-24 Thread Borislav Trifonov 

I don't know yet--it's the next thing I'll need to figure out.

On 9/22/2014 5:55 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Borislav,

On 9/20/14 11:57 PM, Borislav Trifonov wrote:

Switched to a configuration where Tomcat is now front-ended by
Nginx acting as a load balancer, so now the problem has moved to a
  different spot.

Just curious: how does Nginx do this? IIRC, Nginx can use either
OpenSSL or GnuTLS. What does the configuration look like? It seems
reasonable for httpd/APR to support PSK... perhaps it can be added if
it does not already exist.


As for the PSK: the computational expense of key exchange (we have
  many frequent short lived connections) is a con that brings zero
benefit to our setup, as the clients are fixed and already have the
  symmetric keys.

Makes sense.


I could ask the inverse question: if one controls not just the
server but also the clients, what's the point of public key
crypto?

You never mentioned that you had control of the clients. Using PSKs
  of course means you have some measure of control over the clients,
but it is not always so.


The only reason I'm relying on TLS is because the same server also
needs to occasionally support regular connections using
certificates.

Would it be an option to use something like stunnel (I'm not sure if
that allows PSKs, either) between the client and server? It's a lot of
extra processes, but it might get the job done.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUIBxHAAoJEBzwKT+lPKRYascP/jYod5rNgvfmJjF7FBdWp0ld
uVJJ6BnrfaNOwqEEjMMy/lj93k/bwrkNmdwivIjrQ8dV5HH1AS6HTFFJbU9lPril
fyY4Sz3HE9b1yDtKizqfxgs+7pJ6qCxRMY3LX/R/wk5R2RNgPvS8/0o1XeCsU3Ck
r8dh+wVH3eb0PpIRSvdc6jDZ9QoEyTgOZtqVrNwmeo5utVlszLm16rBenlrxHEen
iFHd7eVzayhsW7pvwNXaRO8UK5GpFKdE4yn3fEQu8OQmX3UR9hUREWJikE/3yszT
rSajQJW941YMw9fzW6B/tH8+JA21fvCL5pK7r2Nac+IWbXExRHbcdbtGpF2aUev9
184jE3W9qa27zanox4WCArkNwYSU4PskSpDfQPVCX6Wuem6fQP7zli+JA+HGHmdI
kRfTskkaH5u7fMANGJB7HVeH9GQIcBDHcsWpYeYVUB9sMk35TL8b3T/UvzP5SOGR
01doESxIsG5H10R9fUOKAEU2DIee+CmwMGWI58YbCNONWAabJ1tVIRzUp74XbfPc
aGPBie7p/xqpo/d9He5fnHWsyLLPHzyfsTRUnsCVwuCnZup/FRt1AnL1W6/TP4Lh
GpHc1EZxpXAlkEJPAGzVT3QwskGKg6RvQX3uqcIqquTdJ0o1OlpMfnFm6c59EwKa
Y825QMbFT7SZOL8ylSxu
=5Wp9
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to set up TLS-PSK with Tomcat

2014-09-20 Thread Borislav Trifonov 
Switched to a configuration where Tomcat is now front-ended by Nginx acting as 
a load balancer, so now the problem has moved to a different spot.

As for the PSK: the computational expense of key exchange (we have many 
frequent short lived connections) is a con that brings zero benefit to our 
setup, as the clients are fixed and already have the symmetric keys. I could 
ask the inverse question: if one controls not just the server but also the 
clients, what's the point of public key crypto? The only reason I'm relying on 
TLS is because the same server also needs to occasionally support regular 
connections using certificates.

Thanks.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to set up TLS-PSK with Tomcat

2014-09-19 Thread Borislav Trifonov 
Are you saying Tomcat can use OpenSSL instead of Java for TLS? That would be 
great, as OpenSSL does support a number of TLS-PSK ciphers.


Borislav Trifonov, CTO
MSc

Macroh Canada, Inc.

#206-395 Railway St.
Vancouver, BC, V6A 1A4
Canada

T: +1 604 694 0002
C: +1 778 688 6139
F: +1 604 694 0001




From: Igor Cicimov [icici...@gmail.com]
Sent: Thursday, September 18, 2014 3:46 PM
To: Tomcat Users List
Subject: Re: How to set up TLS-PSK with Tomcat

On 19/09/2014 5:16 AM, Borislav Trifonov btrifo...@macroh.com wrote:

 We need to use pre-shared keys, not certificates. TLS supports PSK, but
how does one set this up in Tomcat? All the guides for SSL/TLS in Tomcat
I've found talk about setting up certificates.

Set sslProtocol=TLS and appropriate ciphers=... in the Connector.
Assuming your java version has support for tls_psk you can set those in the
ciphers list. But you dont even say is it java or openssl you are asking
about? Anyway, check the ssl part of the Tomcat Connector documentation for
more details.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to set up TLS-PSK with Tomcat

2014-09-18 Thread Borislav Trifonov 
We need to use pre-shared keys, not certificates. TLS supports PSK, but how 
does one set this up in Tomcat? All the guides for SSL/TLS in Tomcat I've found 
talk about setting up certificates.