Re: How to set up TLS-PSK with Tomcat
I don't know yet--it's the next thing I'll need to figure out. On 9/22/2014 5:55 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Borislav, On 9/20/14 11:57 PM, Borislav Trifonov wrote: Switched to a configuration where Tomcat is now front-ended by Nginx acting as a load balancer, so now the problem has moved to a different spot. Just curious: how does Nginx do this? IIRC, Nginx can use either OpenSSL or GnuTLS. What does the configuration look like? It seems reasonable for httpd/APR to support PSK... perhaps it can be added if it does not already exist. As for the PSK: the computational expense of key exchange (we have many frequent short lived connections) is a con that brings zero benefit to our setup, as the clients are fixed and already have the symmetric keys. Makes sense. I could ask the inverse question: if one controls not just the server but also the clients, what's the point of public key crypto? You never mentioned that you had control of the clients. Using PSKs of course means you have some measure of control over the clients, but it is not always so. The only reason I'm relying on TLS is because the same server also needs to occasionally support regular connections using certificates. Would it be an option to use something like stunnel (I'm not sure if that allows PSKs, either) between the client and server? It's a lot of extra processes, but it might get the job done. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUIBxHAAoJEBzwKT+lPKRYascP/jYod5rNgvfmJjF7FBdWp0ld uVJJ6BnrfaNOwqEEjMMy/lj93k/bwrkNmdwivIjrQ8dV5HH1AS6HTFFJbU9lPril fyY4Sz3HE9b1yDtKizqfxgs+7pJ6qCxRMY3LX/R/wk5R2RNgPvS8/0o1XeCsU3Ck r8dh+wVH3eb0PpIRSvdc6jDZ9QoEyTgOZtqVrNwmeo5utVlszLm16rBenlrxHEen iFHd7eVzayhsW7pvwNXaRO8UK5GpFKdE4yn3fEQu8OQmX3UR9hUREWJikE/3yszT rSajQJW941YMw9fzW6B/tH8+JA21fvCL5pK7r2Nac+IWbXExRHbcdbtGpF2aUev9 184jE3W9qa27zanox4WCArkNwYSU4PskSpDfQPVCX6Wuem6fQP7zli+JA+HGHmdI kRfTskkaH5u7fMANGJB7HVeH9GQIcBDHcsWpYeYVUB9sMk35TL8b3T/UvzP5SOGR 01doESxIsG5H10R9fUOKAEU2DIee+CmwMGWI58YbCNONWAabJ1tVIRzUp74XbfPc aGPBie7p/xqpo/d9He5fnHWsyLLPHzyfsTRUnsCVwuCnZup/FRt1AnL1W6/TP4Lh GpHc1EZxpXAlkEJPAGzVT3QwskGKg6RvQX3uqcIqquTdJ0o1OlpMfnFm6c59EwKa Y825QMbFT7SZOL8ylSxu =5Wp9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up TLS-PSK with Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Borislav, On 9/20/14 11:57 PM, Borislav Trifonov wrote: Switched to a configuration where Tomcat is now front-ended by Nginx acting as a load balancer, so now the problem has moved to a different spot. Just curious: how does Nginx do this? IIRC, Nginx can use either OpenSSL or GnuTLS. What does the configuration look like? It seems reasonable for httpd/APR to support PSK... perhaps it can be added if it does not already exist. As for the PSK: the computational expense of key exchange (we have many frequent short lived connections) is a con that brings zero benefit to our setup, as the clients are fixed and already have the symmetric keys. Makes sense. I could ask the inverse question: if one controls not just the server but also the clients, what's the point of public key crypto? You never mentioned that you had control of the clients. Using PSKs of course means you have some measure of control over the clients, but it is not always so. The only reason I'm relying on TLS is because the same server also needs to occasionally support regular connections using certificates. Would it be an option to use something like stunnel (I'm not sure if that allows PSKs, either) between the client and server? It's a lot of extra processes, but it might get the job done. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUIBxHAAoJEBzwKT+lPKRYascP/jYod5rNgvfmJjF7FBdWp0ld uVJJ6BnrfaNOwqEEjMMy/lj93k/bwrkNmdwivIjrQ8dV5HH1AS6HTFFJbU9lPril fyY4Sz3HE9b1yDtKizqfxgs+7pJ6qCxRMY3LX/R/wk5R2RNgPvS8/0o1XeCsU3Ck r8dh+wVH3eb0PpIRSvdc6jDZ9QoEyTgOZtqVrNwmeo5utVlszLm16rBenlrxHEen iFHd7eVzayhsW7pvwNXaRO8UK5GpFKdE4yn3fEQu8OQmX3UR9hUREWJikE/3yszT rSajQJW941YMw9fzW6B/tH8+JA21fvCL5pK7r2Nac+IWbXExRHbcdbtGpF2aUev9 184jE3W9qa27zanox4WCArkNwYSU4PskSpDfQPVCX6Wuem6fQP7zli+JA+HGHmdI kRfTskkaH5u7fMANGJB7HVeH9GQIcBDHcsWpYeYVUB9sMk35TL8b3T/UvzP5SOGR 01doESxIsG5H10R9fUOKAEU2DIee+CmwMGWI58YbCNONWAabJ1tVIRzUp74XbfPc aGPBie7p/xqpo/d9He5fnHWsyLLPHzyfsTRUnsCVwuCnZup/FRt1AnL1W6/TP4Lh GpHc1EZxpXAlkEJPAGzVT3QwskGKg6RvQX3uqcIqquTdJ0o1OlpMfnFm6c59EwKa Y825QMbFT7SZOL8ylSxu =5Wp9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up TLS-PSK with Tomcat
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Borislav, On 9/20/14 11:57 PM, Borislav Trifonov wrote: Switched to a configuration where Tomcat is now front-ended by Nginx acting as a load balancer, so now the problem has moved to a different spot. Just curious: how does Nginx do this? IIRC, Nginx can use either OpenSSL or GnuTLS. What does the configuration look like? It seems reasonable for httpd/APR to support PSK... perhaps it can be added if it does not already exist. As for the PSK: the computational expense of key exchange (we have many frequent short lived connections) is a con that brings zero benefit to our setup, as the clients are fixed and already have the symmetric keys. Makes sense. I could ask the inverse question: if one controls not just the server but also the clients, what's the point of public key crypto? You never mentioned that you had control of the clients. Using PSKs of course means you have some measure of control over the clients, but it is not always so. The only reason I'm relying on TLS is because the same server also needs to occasionally support regular connections using certificates. Would it be an option to use something like stunnel (I'm not sure if that allows PSKs, either) between the client and server? It's a lot of extra processes, but it might get the job done. And maybe a stupid question : since you are saying that you have control over both the clients and the server, are your clients/servers really external ? And if they are, would it not make sense to have them connected first via a VPN, and then do the HTTP exchanges in clear, but over that (encrypted) VPN ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set up TLS-PSK with Tomcat
Switched to a configuration where Tomcat is now front-ended by Nginx acting as a load balancer, so now the problem has moved to a different spot. As for the PSK: the computational expense of key exchange (we have many frequent short lived connections) is a con that brings zero benefit to our setup, as the clients are fixed and already have the symmetric keys. I could ask the inverse question: if one controls not just the server but also the clients, what's the point of public key crypto? The only reason I'm relying on TLS is because the same server also needs to occasionally support regular connections using certificates. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up TLS-PSK with Tomcat
On 18/09/2014 20:15, Borislav Trifonov wrote: We need to use pre-shared keys, not certificates. TLS supports PSK, but how does one set this up in Tomcat? All the guides for SSL/TLS in Tomcat I've found talk about setting up certificates. PSK ciphers are not supported JSSE provider provided by Oracle (or any of the other JVM vendors as far as I am aware). You'll have to find a JSSE provider that supports PSK ciphers. That provider should include documentation on how to configure it. Note that while Oracle does list PSK ciphers in the Java standard names, that does not mean that they are implemented in the default JSSE implementation. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set up TLS-PSK with Tomcat
Are you saying Tomcat can use OpenSSL instead of Java for TLS? That would be great, as OpenSSL does support a number of TLS-PSK ciphers. Borislav Trifonov, CTO MSc Macroh Canada, Inc. #206-395 Railway St. Vancouver, BC, V6A 1A4 Canada T: +1 604 694 0002 C: +1 778 688 6139 F: +1 604 694 0001 From: Igor Cicimov [icici...@gmail.com] Sent: Thursday, September 18, 2014 3:46 PM To: Tomcat Users List Subject: Re: How to set up TLS-PSK with Tomcat On 19/09/2014 5:16 AM, Borislav Trifonov btrifo...@macroh.com wrote: We need to use pre-shared keys, not certificates. TLS supports PSK, but how does one set this up in Tomcat? All the guides for SSL/TLS in Tomcat I've found talk about setting up certificates. Set sslProtocol=TLS and appropriate ciphers=... in the Connector. Assuming your java version has support for tls_psk you can set those in the ciphers list. But you dont even say is it java or openssl you are asking about? Anyway, check the ssl part of the Tomcat Connector documentation for more details. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up TLS-PSK with Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Borislav, On 9/19/14 3:47 PM, Borislav Trifonov wrote: Are you saying Tomcat can use OpenSSL instead of Java for TLS? Yes. You need to use the tcnative library (Tomcat Native on the Tomcat web site) along with libapr and libssl. Under a default configuration, Tomcat will auto-detect the presence of tcnative and libapr and use that for your HTTP(S) connectors. It's better to explicitly configure the connectors, though, to use APR. http://tomcat.apache.org/tomcat-8.0-doc/apr.html That would be great, as OpenSSL does support a number of TLS-PSK ciphers. When I originally saw your question, I did a bit of Googling. I see that Apache httpd (which also uses OpenSSL) does not support using TLS-PSK, so you may run into some problems. I'm curious: why do you require PSK instead of public certificates? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUHI8qAAoJEBzwKT+lPKRY1NsQAIo6ppY3FaVS96mnAaWMxkCC 1QBY2mbWVQHMe4XtEwy372lcSfZr4yXYpn6KIlPa7N8ml+FmmVq7oA6moYHcXBAC WA/6WQ3Sfhs7WdSfq5BsZw2XouoYD1WfU/kve4NrWKlrQfAaTFdfgplb8EWss25L jQliuanrPRgfjxuXIwQMXVYKgjjK7Fwy3oBlL5EZ2AAm7eeRk+yh62ZYQ8fQwtXU O2NJ/Pm24uINaYI3U4LCjjoxOzzpYtl1QOU+NehtGaRpSbbxAb7EofpI8+0wyOoP EWFm/gh/A1KrHRq9MBJ+IHLEswPydgh3AnCHtlZhAo67rjKcNbOj3yCN3p6nV9Mt bZp0NATyeiK5Rdbq+1lP5qoKcb+M3wIoNl9Hlzf4pgZrsSgOalD0pqZkbMIBdOFF ApKWO7ra2Bjhhm/GZlGD/kPgdlEbfg6nVrVQRRVnt0Co8abg4+T6e0sUisu4w7RB cJiMjVBuOhQaZ/A/W/9dHnsI2qcgDBMJoUgDLj4NTxWhRCHIv819AKQUohB0MDi2 Qj/W2xo1L/8vUIe4EkLdQNW0FyChEzHZYVeeg8EZYrHRRdUAfeWfcEI9rJib+3PG lcCkN6ruLK48GA38gKXS5HAa320e+JhIegQwEPIuwzOlHzq+k0kOtxvURibLF6US MX+/NrA/Y3tiBWbZFH2n =gwVs -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up TLS-PSK with Tomcat
On 19/09/2014 5:16 AM, Borislav Trifonov btrifo...@macroh.com wrote: We need to use pre-shared keys, not certificates. TLS supports PSK, but how does one set this up in Tomcat? All the guides for SSL/TLS in Tomcat I've found talk about setting up certificates. Set sslProtocol=TLS and appropriate ciphers=... in the Connector. Assuming your java version has support for tls_psk you can set those in the ciphers list. But you dont even say is it java or openssl you are asking about? Anyway, check the ssl part of the Tomcat Connector documentation for more details.
