Thanks for all the help everyone! I discovered Antony Stone's idea after I sent the original email, but before I saw his response. I think he's right, and stunnel is the way to go. It simplifies a lot of things and provides the network security that I'm looking for.
Here's what I'm going to test: 1) Set apache to ONLY listen to loopback (127.0.0.1) 2) Set STUNNEL up with PSK (there is even a specific example for this in the documentation), using TLS 1.3 (There's my checkbox checked!) 3) Set STUNNEL to forward input from port *:443 to 127.0.0.1:80, refuse connections if bad PSK Thanks for all the suggestions. -Garry On Mon, May 31, 2021 at 3:28 AM Antony Stone < antony.st...@apache.open.source.it> wrote: > On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote: > > > > If these things don't have access to the Internet, what security > concerns > > > are you trying to address by using encryption at all? > > > > > Maybe you could explain where the IoT devices are and where Apache is, > in > > > networking terms, so we can understand what communications you are > trying > > > to secure, and against what threats. > > > > The devices are very simple embedded controllers, and they're monitoring > > environmental factors, the exact things they monitor depends on how > they're > > configured. > > > Apache is installed on a dedicated computer with a private wifi network > > that houses the control scripts, update files, and database. This > machine > > is also not internet connected. The machine can be queried to create > > reports on the data, and can reach out to a third machine (via wired lan) > > to send alerts if something goes out of range. It currently runs a > version > > of Debian. > > > The security concerns are two fold, one technical, one political. > > > The technical issue is fairly straightforward. Using PSK, only devices > that > > have the PSK can talk to Apache, giving a degree of validation that only > > verified devices can send data. This is for data integrity purposes. > > Others cannot connect. In a large (physical size) organization, they can > be > > configured to connect over the location's internal WiFi so WiFi > encryption > > alone is not sufficient. > > > > The political issue is (imho) kind of pointless but very real. Many > > organizations have little checklists that will eliminate you from > competing > > for business. Very often there will be a requirement like "All > > communication is encrypted using a minimum of TLS 1.2 or higher". If you > > can't pass that checkbox, you are disqualified. > > > > So the question is: > > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by > > sharing a key between the server and the client? > > I can find no indication that Apache supports TLS / PSK. > > Provided your IoT devices can manage the client end, I would suggest you > look > into using https://www.stunnel.org/ on the Apache server, to provide TLS > over > the network, and plain HTTP internally on the server (localhost only) > between > stunnel and Apache. > > > Antony. > > -- > Behind the counter a boy with a shaven head stared vacantly into space, > a dozen spikes of microsoft protruding from the socket behind his ear. > > - William Gibson, Neuromancer (1984) > > Please reply to the > list; > please *don't* CC > me. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Garry Adkins **************************************************** https://www.linkedin.com/in/garryadkins/ garryadk...@gmail.com 251-487-1803 (c)
