Re: [users@httpd] PreShared Key (PSK) possible? Configuration?

[Garry Adkins <ga...@gmail.com>]

Thanks for all the help everyone!  I discovered Antony Stone's idea after I
sent the original email, but before I saw his response.  I think he's
right, and stunnel is the way to go.  It simplifies a lot of things and
provides the network security that I'm looking for.

Here's what I'm going to test:
1) Set apache to ONLY listen to loopback (127.0.0.1)
2) Set STUNNEL up with PSK (there is even a specific example for this in
the documentation), using TLS 1.3  (There's my checkbox checked!)
3) Set STUNNEL to forward input from port *:443 to 127.0.0.1:80, refuse
connections if bad PSK


Thanks for all the suggestions.

-Garry

On Mon, May 31, 2021 at 3:28 AM Antony Stone <
Antony.Stone@apache.open.source.it> wrote:

> On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote:
>
> > > If these things don't have access to the Internet, what security
> concerns
> > > are you trying to address by using encryption at all?
> >
> > > Maybe you could explain where the IoT devices are and where Apache is,
> in
> > > networking terms, so we can understand what communications you are
> trying
> > > to secure, and against what threats.
> >
> > The devices are very simple embedded controllers, and they're monitoring
> > environmental factors, the exact things they monitor depends on how
> they're
> > configured.
>
> > Apache is installed on a dedicated computer with a private wifi network
> > that houses the control scripts, update files, and database.  This
> machine
> > is also not internet connected.  The machine can be queried to create
> > reports on the data, and can reach out to a third machine (via wired lan)
> > to send alerts if something goes out of range. It currently runs a
> version
> > of Debian.
>
> > The security concerns are two fold, one technical, one political.
>
> > The technical issue is fairly straightforward. Using PSK, only devices
> that
> > have the PSK can talk to Apache, giving a degree of validation that only
> > verified devices can send data.  This is for data integrity purposes.
> > Others cannot connect. In a large (physical size) organization, they can
> be
> > configured to connect over the location's internal WiFi so WiFi
> encryption
> > alone is not sufficient.
> >
> > The political issue is (imho) kind of pointless but very real.  Many
> > organizations have little checklists that will eliminate you from
> competing
> > for business.  Very often there will be a requirement like "All
> > communication is encrypted using a minimum of TLS 1.2 or higher". If you
> > can't pass that checkbox, you are disqualified.
> >
> > So the question is:
> > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> > sharing a key between the server and the client?
>
> I can find no indication that Apache supports TLS / PSK.
>
> Provided your IoT devices can manage the client end, I would suggest you
> look
> into using https://www.stunnel.org/ on the Apache server, to provide TLS
> over
> the network, and plain HTTP internally on the server (localhost only)
> between
> stunnel and Apache.
>
>
> Antony.
>
> --
> Behind the counter a boy with a shaven head stared vacantly into space,
> a dozen spikes of microsoft protruding from the socket behind his ear.
>
>  - William Gibson, Neuromancer (1984)
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

-- 
Garry Adkins
****************************************************
https://www.linkedin.com/in/garryadkins/
garryadkins@gmail.com
251-487-1803 (c)